Page infected with hidden spam links by hackers | How to deal with plummeting Google rankings

Your website suddenly gets hidden links attached, which can range from causing Google rankings to plummet and traffic to be cut in half, to being marked as a “dangerous website” and completely blacklisted.

Most website owners discover the anomaly when they have already missed the critical treatment period—blindly deleting pages or shutting down the server will only intensify the penalty.

As an SEO practitioner with 8 years of experience, we have handled over 60 cases of hidden link intrusion and summarized a standardized process of “72-hour damage control + rapid ranking recovery”.

From precisely locating where hidden links are hidden (such as using Screaming Frog to capture hidden redirect codes), to manually removing them and submitting repair evidence to Google (with a real review template), to publishing “trusted content” to dilute the impact of spam backlinks, each step needs to hit 3 key time nodes (24 hours/3 days/7 days).

Special reminder: If your website’s core keyword rankings have dropped more than 10 positions in the past 7 days, and indexed pages show a large number of parameters like “?redirect=casino”, you may have been hacked. Please proceed to Section 1 for inspection immediately.

Has your website really been hit with hidden links?

Hidden links won’t actively pop up alerts or immediately crash your website—this is precisely what makes them most dangerous.

Many website owners only discover the anomaly after their Google rankings have dropped more than 50%, by which time hidden links may have existed for weeks, or the site may even have been marked as “malicious” by Google.

Based on the cases we’ve handled, 70% of hidden links are hidden in image directories, old article pages, or JS scripts, making them extremely difficult to detect visually.

I will help you locate “parasitic links” within 10 minutes using the lowest cost (no coding required) investigation method.

1. Google Search Console: See through official warnings

• Go to “Security & Manual Actions” → “Manual Actions” report. If you see red warnings for “unnatural backlinks” or “hacked pages”, it’s basically confirmed that hidden links have been attached.
• Watch out for traps: Some hackers will forge a “no problem” status—click “Security Issues” → “View Sample Pages” and manually spot-check the flagged URLs to see if they contain redirect code (such as <meta http-equiv="refresh" content="0;url=gambling url">).

2. Webmaster tools: Scan for hidden redirect code

Use Screaming Frog (free version can scan 500 URLs) to crawl the entire site and filter for these characteristics:

1. Pages with abnormal outbound links (compare with historical data; single-page outbound links >10 require caution)
2. Links containing “style=display:none” (check code for <a href="gambling site" style="display:none">)
3. Pages loading third-party JS files (check <script src="http://unfamiliar domain.js">)

Quick verification: Use the Chrome plugin Link Redirect Trace to track in real-time whether the page has 301 redirects to gambling sites.

3. Search engine indexing: Excavate “shadow pages”

Enter in Google search bar:

site:yourdomain.com intitle:casino/gambling/porn keywords  
site:yourdomain.com inurl:.php?ref=  

If content you didn’t create appears (such as “online casino offers”), it means hackers have generated spam pages.

Ultimate investigation: Search for “.php?” parameters in server logs (path /var/log/apache2/access.log) to see sources of abnormal access (such as frequent POST requests from IPs in Vietnam, Ukraine).

Key tip: If you find hidden links concentrated in image directories like /wp-content/uploads/2023/, hackers may have injected code through media file upload vulnerabilities. Be sure to check whether image filenames contain malformed formats like <?php eval(.

Three steps to completely remove hidden links

After discovering hidden links, the 72-hour period is the golden window for damage control. Many website owners rush to delete pages or reinstall the system, which instead triggers Google’s “content anomaly fluctuation” secondary penalty.

Based on 60+ practical cases, hidden link removal must follow the principle of “collect evidence first, then clean up; repair while submitting”.

1. Full site backup: Prevent accidental deletion of critical data

Directories that must be backed up:

• /wp-content/uploads/ (priority investigation: check whether image files contain PHP code)
• /wp-includes/js/ (check whether files like jquery-migrate.min.js have been tampered with)

Recommended tools:

• BT Panel one-click package (including database export)
• Use Duplicator plugin to generate full site migration package (automatically skips cache files)

2. Manually remove malicious code (with high-risk characteristics)

Global search for these keywords:

eval(base64_decode('encrypted string'));  
<?php $k="hacker password";error_reporting(0);  
<iframe src="http://malicious domain" style="visibility: hidden;">  

Priority check files:

• .htaccess (check whether RewriteRule ^.*$ http://gambling site [R=301,L] has been inserted)
• header.php/footer.php (check for abnormal JS calls like document.write("<scri"+"pt src=virus link>"))

Auxiliary tools:

Use D盾 (D_Safe) to scan the server, automatically marking files containing dangerous functions like system(), passthru().

3. Seal the intrusion entry point: Prevent re-injection

• Modify admin login path (for WordPress):
  Install the plugin WPS Hide Login to change /wp-admin/ to a custom path (such as /mylogin-2024/).
• Emergency vulnerability fix:
  • Update all plugins to the latest version (use WPScan to check plugins with known vulnerabilities)
  • Delete unused themes and plugins (especially those with suspicious names like wp-seo-optimize)
• Server permission hardening:
  bash

  Copy

  # Disable PHP execution in upload directory  
  find /website path/wp-content/uploads/ -type f -name "*.php" -exec rm -f {} \;  
  chmod 644 .htaccess  # Limit write permissions  

Key tip: Immediately after cleanup, use the Link Redirect Trace plugin to scan the entire site to ensure no residual redirect code remains. If you find hidden links stored in the database (such as encrypted code in the post_content field of the wp_posts table), use the Adminer tool to execute SQL commands:

UPDATE wp_posts SET post_content = REPLACE(post_content, 'malicious code segment', '');  

Submit review to Google

Removing hidden links is only the first step; submitting an effective review to Google within 48 hours is the core for ranking recovery.

90% of website owners fail in review due to “insufficient evidence” or “wrong wording,” and some even trigger secondary manual review (extending the recovery period by 3-6 months).

I provide directly reusable English wording templates and a “strong evidence chain” package solution that increases approval rate by 80%.

1. Submit “manual action” review through Search Console

Operation path:

Go to “Security & Manual Actions” → “Manual Actions” → Click “Request Review”.

English wording template (replace red parts):

We have removed all spammy backlinks injected by hackers:  
1. Deleted malicious codes in .htaccess and footer.php (see screenshot_1.png).  
2. Blocked 142 suspicious IPs from Vietnam/Ukraine (access.log attached).  
3. Fixed the vulnerability via updating plugins (e.g. Elementor from 3.6 to 3.19).  
Request to revoke the manual penalty.  

Required attachments:

1. Before-and-after code comparison screenshots (use WinMerge to compare files)
2. Server log excerpts showing blocked malicious IPs (including timestamps, IPs, attack paths)
3. Screaming Frog full-site outbound link scan report (PDF export)

2. Synchronously handle “security issues” report

Go to “Security Issues” → Check all hacked pages → Click “Mark as Fixed”.

Crawl acceleration tips:

Enter the hacked URL in “URL Inspection Tool” → Click “Request Indexing” (submit up to 50 per day).

3. Hidden tips to prevent review failure

• Avoid using “We apologize” and similar admission of fault language (Google views it as shirking responsibility); instead, use factual descriptions.
• Attach third-party security reports (such as Sucuri or SiteCheck scan results) to prove the website is free of malicious code.

Continuously update website content:

Publish 2 original articles within 24 hours after submitting review (Google will crawl “active maintenance” signals).

Key tip: If you still haven’t received Google’s response after 7 days, use the “Search Appearance → Fetch as Google” function to submit sitemap.xml, and emphasize in “Additional notes”: “Malware cleaned up, please recrawl critical pages like /contact-us/ and /blog/”.

If manual action warnings remain unresolved, you need to resubmit with the same evidence after 28 days (avoid triggering spam mechanism).

Low-cost protection configuration checklist

“High protection cost” is the biggest misconception—80% of hacker attacks exploit outdated plugins, weak passwords, default admin paths, and other low-level vulnerabilities.

We have helped clients block over 20,000 malicious scans with an annual budget of less than 500 yuan.

Even if you only have basic server operation skills, you can complete full-site hardening within 1 hour.

1. Basic protection trio (zero cost)

Real-time file monitoring:

• Use BT Panel’s “File Tamper Prevention” function (free) to lock core files like wp-config.php, .htaccess; any modifications trigger SMS alerts.

Brute force interception:

• Install Wordfence (free version) → Enable “Real-time traffic monitoring” to automatically ban IPs that fail to log in more than 5 times within 15 minutes.

Automatic cloud backup:

• Use UpdraftPlus to set daily backup to Google Drive (retain 7-day versions); in case of intrusion, you can directly rollback to a clean version.

2. Server high-risk settings that must be changed

Disable dangerous PHP functions:

Edit the php.ini file, append after disable_functions:

system,exec,passthru,shell_exec,proc_open,curl_multi_exec  

Restrict upload directory permissions:

# Disable PHP in /uploads/  
find /website path/wp-content/uploads/ -type f -name "*.php" -delete  
chmod -R 755 /website path/wp-content/uploads/  

Hide server information:
Add at the top of .htaccess:

ServerSignature Off  
Header unset X-Powered-By  

3. Firewall rules (monthly cost ≤$20)

Cloudflare free tier configuration:

• Firewall Rule 1: Challenge all access containing /wp-admin/ or xmlrpc.php (except whitelist IPs)
• Firewall Rule 2: Block requests with User-Agent containing sqlmap, nmap

Block high-risk country IP ranges:

Add rejection rules in BT Panel “Firewall”:

Vietnam: 14.224.0.0/11  
Russia: 46.161.0.0/18  
Ukraine: 37.52.0.0/14  

Key tip: Execute a vulnerability scan using WPScan once every quarter (command: wpscan --url yourdomain.com --api-token yourtoken), prioritizing handling of plugins with risk level ≥ medium-high. If using Nginx server, be sure to add in the configuration:

location ~* ^/(uploads|wp-content)/.*\.(php|php5|phtml)$ {  
    deny all;  
}  

(Completely block the possibility of executing PHP code through image webshells)

Do not rely on “one-click fix plugins”—we have disassembled 13 mainstream security plugins, and 9 of them have problems like excessive permissions or accidentally deleting files. Manual configuration protection (such as .htaccess rules, server permissions) is the only controllable solution.