Security researchers at Sucuri have identified a WordPress malware technique that allows attackers to inject spam content into search engine results while leaving the website’s visible pages unchanged. The activity was uncovered during a site cleanup after a customer reported seeing gambling-related content appearing in Google search results.
According to Sucuri, attackers targeted trusted pages such as About Us and Contact pages, which appeared legitimate to site owners and visitors. However, when accessed by search engine crawlers, those same URLs returned spam content designed for indexing.
Instead of altering WordPress posts or databases, attackers created physical directories on the server that matched existing WordPress permalinks. Because web servers typically prioritize physical directories over WordPress’s virtual routing system, requests to those URLs were served from the attacker-controlled folders instead of WordPress itself.
Within each shadow directory, researchers found a consistent set of files used to control what content was served. The malicious code delivered different content depending on the visitor. When the request appeared to come from a search engine crawler, the server returned a full spam page designed for indexing. When accessed by a human visitor or site administrator, the page displayed a clean copy of the original content.
This behavior explains why site owners were unaware of the infection while spam content continued to appear in search engine results.
It bypasses many traditional WordPress security checks because it doesn’t alter posts, pages, or database entries. As a result, standard dashboard reviews and database scans may not detect the compromise.
Sucuri noted that the primary impact of this technique is search engine spam injection, which can result in ranking penalties, loss of organic traffic, and reputational damage. Cleanup required removing the malicious directories, reviewing user accounts, and verifying core files to restore normal site behavior.
Remediation involves removing the malicious directories, auditing user accounts, resetting credentials, and verifying core WordPress files. Sucuri also recommends reviewing file permissions, monitoring server logs, and testing how pages appear to different user agents to confirm consistent behavior.
Additional steps such as enforcing strong passwords, limiting administrative access, and using a Web Application Firewall (WAF) can help reduce the risk of compromise and block malicious requests before they reach the server.
Find more general WordPress security tips in our How to Secure Your WP Site article.
Leave a Reply