Hacked websites often become targets for SEO spam attacks, where thousands of spam pages get indexed by Google, damaging search rankings and credibility. Recently, we faced a case where a WordPress site had been compromised, leading to 242,000 Japanese spam pages appearing in Google Search results.
In this guide, we will walk through:
- Cleaning up the malware
- Extracting and analyzing spam URLs
- Removing them from Google efficiently
- Securing the site against future attacks
Step 1: Cleaning Up the Malware
1.1 Scan for Malware
Use security plugins like Wordfence and Sucuri to scan and detect malicious files.
Perform a manual review of key files like index.php, .htaccess, and wp-config.php to check for suspicious modifications.
1.2 Check for Unauthorized Admin Users
Go to WordPress Dashboard → Users and remove any unfamiliar admin accounts. Change all admin passwords immediately.
1.3 Update Everything
Update WordPress Core, Plugins, and Themes to their latest versions. Remove unused and outdated plugins/themes that might have security vulnerabilities.
1.4 Restore Critical Files
Check .htaccess and wp-config.php for any unauthorized modifications and restore them to their default settings.
Step 2: Extracting Indexed Spam URLs
2.1 Using URL Extractor
Search site:yourdomain.com on Google to see indexed pages.
Use Infy Scroll to auto-load all pages and extract all URLs using URL Extractor.
Then Use the following Python script to filter spam URLs:
import pandas as pd
csv_file = "urls.csv"
df = pd.read_csv(csv_file)
site_url = "https://domain.com"
filtered_urls = df[df['URL'].str.startswith(site_url)]
filtered_urls.to_csv("filtered_urls.csv", index=False)
print("Filtered URLs saved successfully!")
2.2 Google Search Analytics API
For a larger dataset, use the Google Search Analytics API to extract up to 25,000 URLs:
Step 2.2.1: Open the Search Analytics API
- Go to Google Search Analytics API.
- Click on “Try it now.”
Step 2.2.2: Expand to Full-Screen Mode
- In the API Explorer panel, click the full-screen icon (⛶) for better visibility.
Step 3: Set Up Your Request
- Enter your GSC property URL in the
siteUrlfield. - Example:
https://yourwebsite.com/ - (You must have admin access.)
Paste this JSON into the “Request Body” field:
{
"startDate": "2023-01-01",
"endDate": "2025-02-19",
"dimensions": ["QUERY", "PAGE"],
"rowLimit": 25000
}
- startDate & endDate – Defines the data range
- dimensions – Breaks down results by QUERY and PAGE
- rowLimit – Sets the export limit to 25,000 rows
Step 4: Authorize & Execute the Request
- Enable OAuth 2.0 authentication.
- Click the “Execute” button.
Step 5: Copy & Convert JSON Data to CSV
- If successful, you’ll see a “200 OK” response.
- Copy all JSON output using Ctrl + A (Cmd + A on Mac).
- Open Konklone JSON to CSV.
- Paste the copied JSON into the converter.
- Click “Download CSV” to save the data.
2.3 Google Search Console
Navigate to Indexing > Pages > View data about indexed pages in Google Search Console and export all indexed pages manually.
Step 3: Removing the URLs from Google
3.1 Submitting a Clean Sitemap
Create a new sitemap.xml containing only valid URLs and submit it in Google Search Console under Sitemaps.
3.2 Bulk URL Removal
Use Google Console Bulk URL Remover to submit all spam URLs at once.
3.3 Waiting for Google to Remove 404 Pages
Since the spam pages now return 404 errors, Google will deindex them automatically.
Step 4: Securing the Site from Future Attacks
- Wordfence Security Plugin – Provides firewall and malware scanning.
- All-in-One WP Security & Firewall – Hardens WordPress security.
- WP Armour – Honeypot Anti-Spam – Protects forms from bots.
- Cloudflare Firewall – Blocks malicious traffic.
- Two-Factor Authentication (2FA) – Adds an extra layer of security.
Final Results: Mission Accomplished!
- ✅ 242,000 spam pages removed from Google
- ✅ 25,000 URLs exported for SEO analysis
- ✅ Malware fully removed
- ✅ Website security enhanced
- ✅ Process completed within 10 hours!
Key Takeaways
- Speed is critical – Act fast to remove spam pages.
- Automation saves time – Use bulk tools and scripts.
- Google’s limits can be bypassed – API access allows exporting beyond the 1,000-row limit.
- Security is ongoing – Regular updates and monitoring are necessary.
Need Help?
If you need professional assistance with WordPress security, SEO cleanups, or large-scale URL removals, feel free to contact 3Zero Digital. We specialize in restoring hacked websites and securing them for the future!