Introduction

Spam URLs in an XML sitemap are a strong sign that the site is advertising content you did not intentionally publish. Sometimes the spam pages really exist. In other cases, the sitemap alone is poisoned by injected database entries, compromised SEO plugin settings, or malicious rewrite logic. The fix is to treat the sitemap as a security symptom, remove the source of the injected URLs, and then publish a clean sitemap that search engines can trust again.

Symptoms

  • Search Console or another crawler reports strange URLs in your sitemap
  • The sitemap lists casino, pharma, adult, or unrelated product pages
  • Some spam URLs return real content while others only appear in the sitemap output
  • The issue started after a plugin compromise, suspicious admin change, or malware incident
  • Search results begin showing hacked or irrelevant pages from your domain

Common Causes

  • A compromised plugin or theme is injecting extra sitemap entries
  • Malicious database content pollutes SEO plugin indexes or post data
  • Rewrite rules or custom code generate fake URLs dynamically for crawlers
  • Cached sitemap output still serves stale spam entries after cleanup
  • Search engines are reading a secondary sitemap file the team forgot to inspect

Step-by-Step Fix

  1. Export and review the sitemap output carefully so you know whether the spam URLs come from the main sitemap, a child sitemap, or a separate sitemap index.
  2. Test a sample of the listed spam URLs to determine whether they resolve to real pages, soft 404s, redirects, or only appear in metadata.
  3. Inspect SEO plugins, sitemap generators, theme functions, and custom mu-plugins for unexpected URL sources or injected code.
  4. Search the database for spam keywords, rogue posts, modified options, and suspicious serialized plugin settings tied to sitemap generation.
  5. Check rewrite rules, server config, and malware artifacts that may generate spam pages only for bots or specific user agents.
  6. Remove the malicious content or code first, then regenerate the sitemap rather than manually hiding the visible URLs.
  7. Clear application, object, CDN, and server caches so the cleaned sitemap output is what crawlers actually receive.
  8. Re-submit the correct sitemap in search tools and request removal or re-crawling of hacked URLs where necessary.
  9. Finish with a broader security review so the same attacker cannot reinsert spam URLs after the initial cleanup.