admin-plugins author calendar category facebook post rss search twitter star star-half star-empty

Tidy Repo

The best & most reliable WordPress plugins

The Best Way to Get Rid of WordPress Spam Link Injections

The Best Way to Get Rid of WordPress Spam Link Injections

Vallery Henings

October 29, 2020


Any successful online business owner knows what a huge role a good SEO ranking plays in growing a business. It can take months or years of sustained SEO practice to be among the top-ranked pages on Google. Now imagine, after all that effort, a hacker decides to exploit your highly ranked web pages to promote another website. This is referred to as a Spam Link Injection – also known as SEO spam or spamdexing.

Having such malware on your website can cause Google and other search engines to blacklist your website. As you can imagine, this really hits your website where it hurts most – your SEO ranking takes a hit, you lose traffic and revenues, and ultimately your customers’ trust.

Thankfully, there are ways for you to fix and prevent this threat to your website. In this article, we take a detailed look at spam link injections, and ways to fix this problem. Let’s get started.

What are Spam Link Injections

Hacker in dark room

In simple terms, spam link injections refer to the method where hackers take advantage of your top-ranked SEO pages to redirect visitors to their sites. Through this, they try to improve their website ranking on any search engine ranking page.

How do hackers deploy spam link injections on your website? In multiple ways, including by:

  • Adding their website URLs on your high-ranked pages, or sometimes into your WP database tables. On most occasions, these URLs are of illegitimate websites that market fake pharma products — for example, or
  • Adding spam keywords like “Viagra online” or “cheap Gucci bags” directly on your popular web pages. This way, when any user searches for these keywords, your site will be ranked on the SERP.
  • Launching phishing attacks on your customers by sending spam emails to their email addresses. Hackers gain illegal access to your database to retrieve all your customer information.
  • Displaying unauthorized ads or banners of their products or services on your webpage.
  • Adding hundreds, or even thousands of new webpages to your website or changing content to a different language(famously known as the Japanese Keyword Hack).

Effectively, this means that hackers use spam link injections to undermine any SEO advantage you may have with your website. What is more challenging is that smart hackers can often hide these injections from detection for long periods of time.

Spam Link Injections – 3 Common Signs

If you are still not sure if your website has been infected with spam link injections, check for these three signs:

  1. Google blacklists your website

It may sound surprising but Google often detects a hacked site much before the site owner does and blacklists it to protect its users from accessing it. Check if you have received any notification email from Google about the blacklisting of your website.

Another way is to search for your website on the Google search engine where it may put up a “hacked” warning next to your website on the results page.

Hacked search result

  1. Your web host suspends your website

Besides Google, your website would be suspended by your web host and you may receive a notification email from them regarding the suspension.

  1. Your website may be receiving traffic for the wrong search keywords

As mentioned in the previous section, your website may have incoming traffic originating from wrong or spam keywords like “buy Viagra online.” Using your search console or a tool like Google Analytics, you can quickly determine the keywords generating most of your traffic.

How to Fix SEO Spam Link Injections with a Security Plugin

The best way of confirming if your website has been infected is by scanning your site using a security plugin. Security plugins are highly effective in detecting the most deeply hidden spam link injections on your website and getting rid of them.

We suggest you check your site for these injections using the MalCare security plugin. It is among the popular security plugins on the market and uses over 100 intelligent signals to automatically detect any malicious code, hidden links, and suspicious code in your WordPress installation and your database tables.


All you need to do is:

  • First, sign up with MalCare using your email address and then log in to your MalCare dashboard using your login credentials.
  • Specify the website URL – that needs to be scanned – and install the MalCare tool.

MalCare takes over from here. Once installed, it automatically starts scanning for any malware on your website. Here is a sample screen that informs if your website has been hacked.

MalCare notice

  • To get rid of the spam link injections, all you need to do next is click “Auto-Clean” while the plugin cleans out all the spam links and injections from your files and database.

Security plugins like MalCare make it easy for you to schedule daily and on-demand instant scans so you never lose time in dealing with an infection. The automated malware removal makes sure you can clean your site even if you’re not an advanced user.  They also provide additional protection from bad traffic. For instance, MalCare has an inbuilt firewall that helps prevent future attacks.

Malcare firewall

However, if you’d prefer to scan and clean your site yourself, you can opt for the manual method of removing spam link injections outlined in the next section.

How to Fix SEO Spam Link Injections Manually

If you’re an advanced tech user with prior WordPress know-how and familiarity with FTP and database tools such as FileZilla and phpMyAdmin, you can scan and clean your website manually. While this method is cost-effective, it needs an investment of both time and effort.

We recommend this method only if you understand WordPress and how its backend files work.

Here are the steps you need to execute to perform manual scanning and cleanup:

1. Check and remove spam link injections from your WP installation. To do this:

  • Access the cPanel tool in your hosting account.
  • Open your File Manager and access the “public_html” folder that contains all your installation files. If you have installed your WordPress on any other location, then open that specific folder.
  • You can now view three important folders from your installation folder: wp-admin, wp-content, and wp-includes. Hackers target these three folders to insert malicious spam links into your website.
  • Using cPanel, manually search for spam links in each of these folders – and delete them wherever you find one. In most cases, you will find the same spam links across all your web pages – so that makes your task easier.

cPanel file manager

Once you have completed the manual scanning of all these three installation folders, you are good to go to the next step.

2. Check and remove spam link injections from your database. To do this:

  • Go to your host account, access your cPanel, and then open the phpMyAdmin tool.
  • Use the phpMyAdmin tool to select your database and then export all your database tables to an SQL file format (as shown below).

Exporting tables

  • Once you have downloaded your database file on your computer, perform a manual search for any spam link injections. To do that, open the file with any text editing tool and then search for any malicious spam code in PHP functions like base64_decode, shell_exec, eval, and gzinflate.
  • Delete any of these malicious codes – when you find them in these functions.
  • After cleaning the database file, you can then import it to your database using the phpMyAdmin tool.

This manual method of detecting and removing spam link injections has its share of risks. For instance, you could accidentally add any non-malicious code from these PHP functions that could break your site. We don’t recommend using this method unless you consider yourself an advanced WordPress user.


We hope this article helps you clean your site of spam link injections and restore it to normalcy. However, it’s important to remember that website security cannot remain an afterthought. It needs to be a part of your website maintenance.

For starters, make sure that you take regular backups of your website and database files, and keep your website updated.

We highly recommend investing in a security plugin for the safety, security, and peace of mind it can provide. In fact, most security plugins like MalCare come with WordPress hardening security measures and in-built firewalls security that can block hackers from even accessing your site.

We hope this article was helpful in helping you improve your website’s security posture. If you’re looking for more WordPress support, check out the rest of the articles on the website for some helpful tips, resources, and reviews.