Introduction

Spam pages inside uploads usually mean the problem is not just SEO clutter. It means an attacker found a path to write or generate files where normal media uploads live. Deleting the spam URLs without finding the writing mechanism only buys a short quiet period before they come back. The real fix is to isolate the injected script, clean the generated files, and reduce how much executable behavior the uploads path can host.

Symptoms

  • Search engines index casino, pharma, or fake product pages under /wp-content/uploads/
  • New junk files reappear after manual deletion
  • Suspicious PHP, HTML, or obfuscated scripts exist alongside normal media files
  • Traffic spikes hit unknown URLs in the uploads tree
  • The issue began after a plugin compromise, stolen admin access, or vulnerable file upload flow

Common Causes

  • A backdoor script writes generated spam pages into writable directories
  • File upload validation or plugin vulnerabilities allow executable files into uploads
  • Compromised admin or hosting access is being used to plant new files repeatedly
  • A scheduled task or hidden loader recreates deleted spam content
  • Web server rules allow execution in paths that should hold only static media

Step-by-Step Fix

  1. Put the site into a controlled cleanup state so you can preserve evidence and stop new spam content from being generated during the investigation.
  2. Inventory unexpected file types inside uploads, especially PHP, HTML, JS, or oddly named folders mixed with media assets.
  3. Identify the script, plugin, or account creating those files before deleting them, because the spam will return if the writer remains active.
  4. Remove the malicious generator, then delete the spam pages and any supporting loader files tied to them.
  5. Review admin users, file manager access, cron jobs, and recent plugin changes for the original entry point.
  6. Harden the uploads path so it stores media only and does not execute server-side code.
  7. Scan the rest of the site for related indicators such as hidden admin users, modified core files, or injected database content.
  8. Request search engine cleanup only after the writing mechanism is gone and the URLs return the intended status.
  9. Keep file integrity checks and upload-path restrictions in place so writable directories do not become a persistent foothold.