Page infected with hidden spam links by hackers | How to deal with plummeting Google rankings
Your website suddenly gets hidden links attached, which can range from causing Google rankings to plummet and traffic to be cut in half, to being marked as a "dangerous website" and completely blacklisted.
Most website owners discover the anomaly when they have already missed the critical treatment period—blindly deleting pages or shutting down the server will only intensify the penalty.
Priority check files:
Hide server information:
Add at the top of
3. Firewall rules (monthly cost ≤$20)
Cloudflare free tier configuration:
(Completely block the possibility of executing PHP code through image webshells)
Do not rely on "one-click fix plugins"—we have disassembled 13 mainstream security plugins, and 9 of them have problems like excessive permissions or accidentally deleting files. Manual configuration protection (such as .htaccess rules, server permissions) is the only controllable solution.
As an SEO practitioner with 8 years of experience, we have handled over 60 cases of hidden link intrusion and summarized a standardized process of "72-hour damage control + rapid ranking recovery".From precisely locating where hidden links are hidden (such as using Screaming Frog to capture hidden redirect codes), to manually removing them and submitting repair evidence to Google (with a real review template), to publishing "trusted content" to dilute the impact of spam backlinks, each step needs to hit 3 key time nodes (24 hours/3 days/7 days). Special reminder: If your website's core keyword rankings have dropped more than 10 positions in the past 7 days, and indexed pages show a large number of parameters like "?redirect=casino", you may have been hacked. Please proceed to Section 1 for inspection immediately.
Has your website really been hit with hidden links?
Hidden links won't actively pop up alerts or immediately crash your website—this is precisely what makes them most dangerous. Many website owners only discover the anomaly after their Google rankings have dropped more than 50%, by which time hidden links may have existed for weeks, or the site may even have been marked as "malicious" by Google. Based on the cases we've handled, 70% of hidden links are hidden in image directories, old article pages, or JS scripts, making them extremely difficult to detect visually.I will help you locate "parasitic links" within 10 minutes using the lowest cost (no coding required) investigation method.1. Google Search Console: See through official warnings
- Go to "Security & Manual Actions" → "Manual Actions" report. If you see red warnings for "unnatural backlinks" or "hacked pages", it's basically confirmed that hidden links have been attached.
- Watch out for traps: Some hackers will forge a "no problem" status—click "Security Issues" → "View Sample Pages" and manually spot-check the flagged URLs to see if they contain redirect code (such as
<meta http-equiv="refresh" content="0;url=gambling url">).
- Pages with abnormal outbound links (compare with historical data; single-page outbound links >10 require caution)
- Links containing "style=display:none" (check code for
<a href="gambling site" style="display:none">) - Pages loading third-party JS files (check
<script src="http://unfamiliar domain.js">)
site:yourdomain.com intitle:casino/gambling/porn keywords
site:yourdomain.com inurl:.php?ref=
If content you didn't create appears (such as "online casino offers"), it means hackers have generated spam pages.
Ultimate investigation: Search for ".php?" parameters in server logs (path /var/log/apache2/access.log) to see sources of abnormal access (such as frequent POST requests from IPs in Vietnam, Ukraine).
Key tip: If you find hidden links concentrated in image directories like /wp-content/uploads/2023/, hackers may have injected code through media file upload vulnerabilities. Be sure to check whether image filenames contain malformed formats like <?php eval(.
Three steps to completely remove hidden links
After discovering hidden links, the 72-hour period is the golden window for damage control. Many website owners rush to delete pages or reinstall the system, which instead triggers Google's "content anomaly fluctuation" secondary penalty. Based on 60+ practical cases, hidden link removal must follow the principle of "collect evidence first, then clean up; repair while submitting". 1. Full site backup: Prevent accidental deletion of critical data Directories that must be backed up:/wp-content/uploads/(priority investigation: check whether image files contain PHP code)/wp-includes/js/(check whether files like jquery-migrate.min.js have been tampered with)
- BT Panel one-click package (including database export)
- Use Duplicator plugin to generate full site migration package (automatically skips cache files)
php
eval(base64_decode('encrypted string'));
<?php $k="hacker password";error_reporting(0);
<iframe src="http://malicious domain" style="visibility: hidden;">
.htaccess(check whetherRewriteRule ^.*$ http://gambling site [R=301,L]has been inserted)header.php/footer.php(check for abnormal JS calls likedocument.write("<scri"+"pt src=virus link>"))
system(), passthru().
3. Seal the intrusion entry point: Prevent re-injection
- Modify admin login path (for WordPress):
Install the plugin WPS Hide Login to change
/wp-admin/to a custom path (such as/mylogin-2024/). - Emergency vulnerability fix:
- Update all plugins to the latest version (use WPScan to check plugins with known vulnerabilities)
- Delete unused themes and plugins (especially those with suspicious names like
wp-seo-optimize)
- Server permission hardening:
bashCopy
# Disable PHP execution in upload directory find /website path/wp-content/uploads/ -type f -name "*.php" -exec rm -f {} \; chmod 644 .htaccess # Limit write permissions
wp_posts table), use the Adminer tool to execute SQL commands:
UPDATE wp_posts SET post_content = REPLACE(post_content, 'malicious code segment', '');
Submit review to Google
Removing hidden links is only the first step; submitting an effective review to Google within 48 hours is the core for ranking recovery. 90% of website owners fail in review due to "insufficient evidence" or "wrong wording," and some even trigger secondary manual review (extending the recovery period by 3-6 months).I provide directly reusable English wording templates and a "strong evidence chain" package solution that increases approval rate by 80%.1. Submit "manual action" review through Search Console Operation path: Go to "Security & Manual Actions" → "Manual Actions" → Click "Request Review". English wording template (replace red parts):
We have removed all spammy backlinks injected by hackers:
1. Deleted malicious codes in .htaccess and footer.php (see screenshot_1.png).
2. Blocked 142 suspicious IPs from Vietnam/Ukraine (access.log attached).
3. Fixed the vulnerability via updating plugins (e.g. Elementor from 3.6 to 3.19).
Request to revoke the manual penalty.
Required attachments:
- Before-and-after code comparison screenshots (use WinMerge to compare files)
- Server log excerpts showing blocked malicious IPs (including timestamps, IPs, attack paths)
- Screaming Frog full-site outbound link scan report (PDF export)
- Avoid using "We apologize" and similar admission of fault language (Google views it as shirking responsibility); instead, use factual descriptions.
- Attach third-party security reports (such as Sucuri or SiteCheck scan results) to prove the website is free of malicious code.
Low-cost protection configuration checklist
"High protection cost" is the biggest misconception—80% of hacker attacks exploit outdated plugins, weak passwords, default admin paths, and other low-level vulnerabilities. We have helped clients block over 20,000 malicious scans with an annual budget of less than 500 yuan. Even if you only have basic server operation skills, you can complete full-site hardening within 1 hour. 1. Basic protection trio (zero cost) Real-time file monitoring:- Use BT Panel's "File Tamper Prevention" function (free) to lock core files like
wp-config.php,.htaccess; any modifications trigger SMS alerts.
- Install Wordfence (free version) → Enable "Real-time traffic monitoring" to automatically ban IPs that fail to log in more than 5 times within 15 minutes.
- Use UpdraftPlus to set daily backup to Google Drive (retain 7-day versions); in case of intrusion, you can directly rollback to a clean version.
php.ini file, append after disable_functions:
system,exec,passthru,shell_exec,proc_open,curl_multi_exec
Restrict upload directory permissions:
# Disable PHP in /uploads/
find /website path/wp-content/uploads/ -type f -name "*.php" -delete
chmod -R 755 /website path/wp-content/uploads/
.htaccess:
apache
ServerSignature Off
Header unset X-Powered-By
- Firewall Rule 1: Challenge all access containing
/wp-admin/orxmlrpc.php(except whitelist IPs) - Firewall Rule 2: Block requests with User-Agent containing
sqlmap,nmap
Vietnam: 14.224.0.0/11
Russia: 46.161.0.0/18
Ukraine: 37.52.0.0/14
Key tip: Execute a vulnerability scan using WPScan once every quarter (command: wpscan --url yourdomain.com --api-token yourtoken), prioritizing handling of plugins with risk level ≥ medium-high. If using Nginx server, be sure to add in the configuration:
location ~* ^/(uploads|wp-content)/.*\.(php|php5|phtml)$ {
deny all;
}