Introduction

If Google search results start showing spam pages, Japanese keyword pages, pharma listings, or other URLs you did not create, your site likely has a compromise that affects either the live files, generated output, or search-facing responses. The fix is not just to hide the pages. You need to remove the malicious content, close the entry point, and then ask Google to recrawl a clean site.

Symptoms

  • Google results show spam titles or URLs that do not appear in normal site navigation
  • Search Console reports hacked content or indexed pages you never published
  • Search visitors land on redirects, fake product pages, or keyword-stuffed content
  • The spam may only appear to crawlers or search visitors and not to logged-in admins
  • Server files, database records, or rewrite rules changed without approval

Common Causes

  • Malware injected spam pages into WordPress files, the database, or generated cache
  • Attackers added cloaking logic so search engines see different content than admins
  • A vulnerable plugin, theme, or admin account allowed unauthorized file changes
  • Backup restores removed visible symptoms but left the compromise path open
  • Search index still contains old hacked URLs after the site was partially cleaned

Step-by-Step Fix

  1. Confirm whether the hacked pages still exist live or only remain indexed by checking the URLs directly with and without cache, and by reviewing Search Console examples.
  2. Put the site into a controlled cleanup state if necessary so new spam pages are not generated while you investigate.
  3. Scan files, database content, scheduled tasks, and rewrite rules for injected pages, cloaking logic, and unauthorized admin or FTP access.
  4. Remove the malicious files or records only after preserving forensic evidence or a backup snapshot for rollback and investigation.
  5. Patch the original entry point, whether that is a vulnerable plugin, reused password, compromised admin user, or insecure hosting access path.
  6. Rotate all relevant credentials, including WordPress admin, hosting, database, SFTP, API, and CDN credentials if exposure is possible.
  7. Rebuild caches and confirm clean responses to both normal browsers and crawler-like requests.
  8. Use Search Console removal and reindex tools only after the site is truly clean, otherwise Google can re-detect the compromise.
  9. Monitor new file changes, indexed URLs, and security alerts closely for the next several days to ensure the spam does not return.