Injected spam pages are one of the most frustrating problems after a WordPress hack.
You clean the visible malware, but Google Search may still show strange URLs from your domain. Some results may contain Japanese keywords, casino pages, pharmaceutical spam, fake product listings, or other content that you never created.
This usually happens when attackers inject spam pages, create fake sitemaps, abuse URL parameters, or use content cloaking to show different content to Google than real visitors see.
If your WordPress site has been hacked and spam pages are showing in Google Search, the goal is not only to remove those URLs from search results. You also need to clean the website, block the spam URLs from returning, check Google Search Console access, and prevent the same issue from happening again.
This guide explains how to remove injected spam pages from Google Search and how to secure your WordPress site after cleanup.
What Are Injected Spam Pages?
Injected spam pages are pages or URLs added to your website without your permission.
They are usually created by attackers after exploiting a vulnerable plugin, theme, weak admin password, compromised hosting account, nulled plugin, or hidden backdoor.
These spam pages may appear as:
- Japanese keyword spam
- Pharmaceutical spam
- Casino or betting pages
- Fake product pages
- Random URL parameter spam
- Spam pages under fake directories
- Redirects to scam websites
- Search results showing spam titles or descriptions
In some cases, visitors may not see the spam page directly. The attacker may use cloaking, which means Googlebot sees one version of the page while normal visitors or logged-in administrators see something else.
That is why the site may look clean in the browser while Google still shows hacked search results.
Why Spam Pages Appear in Google Search
Spam pages can appear in Google Search when Google crawls and indexes URLs created by the attacker.
Common causes include:
- Injected spam files on the server
- Malicious rewrite rules
- Database-injected spam content
- Fake sitemap files submitted to Google
- Unauthorized Search Console users
- Content cloaking based on user agent or referrer
- Backdoors that recreate spam pages after cleanup
- Old hacked URLs still returning 200 OK instead of 404 or 410
Before focusing only on Google removals, confirm that the website is actually clean. If hacked pages still exist, Google may crawl them again and the problem can return.
Check Google Search Console Access First
Google Search Console is essential during hacked-site recovery. It helps you see indexed pages, submitted sitemaps, security issues, manual actions, crawl errors, and ownership access.
Start by checking who has access to the property.
Attackers sometimes verify themselves as owners in Google Search Console. If they gain access, they may submit spam sitemaps, monitor indexing, or keep pushing injected URLs into Google Search.
Review these areas carefully:
- Users and permissions: Remove anyone you do not recognize.
- Ownership verification methods: Check for unknown HTML files, DNS records, Google Analytics links, Google Tag Manager links, or meta tags.
- Sitemaps: Remove unknown or spam sitemap files.
- Security issues: Check whether Google has detected hacked content, malware, social engineering, or other problems.
- Manual actions: Check whether the site has received a manual penalty related to spam or hacked content.
- Pages report: Review indexed, not indexed, crawled, and discovered URLs for spam patterns.
Only legitimate owners and team members should have Search Console access.
Clean the WordPress Hack First
Do not start by removing URLs from Google if the website is still infected.
The correct order is:
- Clean the hacked WordPress site.
- Remove malware, backdoors, spam files, and injected database content.
- Remove unauthorized admin users.
- Reset WordPress, hosting, FTP/SFTP, database, and control panel passwords.
- Update WordPress core, plugins, and themes.
- Remove nulled, abandoned, or unused plugins and themes.
- Confirm hacked URLs now return 404 Not Found or 410 Gone.
- Then use Google Search Console to speed up removal where needed.
Google’s own hacked-site guidance focuses on cleaning the site first, fixing the cause, and then letting Google recrawl the corrected pages. The Removals tool can hide urgent URLs, but it does not clean the hack itself.
For WordPress sites, SiteFort Security Plugin can help during this stage by scanning for malware, suspicious files, backdoors, modified core files, injected scripts, vulnerable plugins and themes, and exposed sensitive files. It also adds firewall protection, hardening, login security, audit logs, and vulnerability monitoring to reduce the chance of reinfection.
If the site keeps getting reinfected, consider using a professional WordPress malware removal service. Repeated spam injection usually means a backdoor, compromised account, vulnerable plugin, or server-level issue is still present.
Find Indexed Spam Pages in Google
After cleanup, you need to understand how many spam URLs Google has indexed and whether they follow a pattern.
Useful Google searches include:
site:yourdomain.com
site:yourdomain.com casino
site:yourdomain.com viagra
site:yourdomain.com Japanese
site:yourdomain.com inurl:index.php?
site:yourdomain.com inurl:product
site:yourdomain.com inurl:tag
Replace yourdomain.com with your actual domain.
You can also use Search Console reports to inspect suspicious URLs. Look for patterns such as:
- Random query strings
- Strange directories
- Spam keywords in page titles
- Large numbers of “Crawled – currently not indexed” URLs
- Unknown sitemap submissions
- Pages that return 200 OK but should not exist
Example spam pattern:
https://example.com/index.php?rthrsdb.html
https://example.com/index.php?tyhrtdsdb.html
https://example.com/index.php?eyusdb.html
In this example, the spam URLs all start with:
https://example.com/index.php?
That pattern is useful because Search Console can temporarily remove all URLs with a matching prefix.
Use the Google Search Console Removals Tool
The Google Search Console Removals tool can quickly hide hacked or spam URLs from Google Search while Google recrawls your cleaned website.
Google’s documentation says temporary removals hide URLs from Google Search for about six months and clear the cached copy. Clear cached URL clears the cached page and snippet until Google crawls the page again.
Use the Removals tool when:
- Hacked spam URLs are already showing in Google Search
- You need urgent temporary cleanup of search results
- The spam URLs follow a removable prefix pattern
- The site has already been cleaned or the URLs now return 404/410
Do not use it as a replacement for cleaning the website. If the spam pages still exist, they may return after the temporary removal expires.

Temporary Removal
Temporary removal hides the selected URL or URL prefix from Google Search for about six months. It also clears the cached copy and snippet for the removed URL.
This is useful when spam URLs are actively visible in search results and you need them hidden quickly while permanent cleanup is being processed.
Clear Cached URL
Clear cached URL does not remove the URL from Google Search. Instead, it clears the cached page and removes the current snippet until Google crawls the page again.
This is useful when a legitimate page is now clean, but Google is still showing an old hacked title, description, or cached version.
Remove Spam URLs by Prefix
If the spam URLs follow a clear pattern, you can remove them in bulk using prefix removal.
For example:
https://example.com/index.php?rthrsdb.html
https://example.com/index.php?tyhrtdsdb.html
https://example.com/index.php?eyusdb.html
If all spam URLs begin with https://example.com/index.php?, you can submit that prefix in Search Console and choose the option to remove all URLs with that prefix.

Be careful with prefix removals. Do not remove a broad prefix that may include legitimate pages. For example, removing all URLs under /blog/, /product/, or /category/ could hide real pages from Google Search.
Make the Removal Permanent
The Removals tool is temporary. Permanent removal depends on what Google sees when it recrawls the URL.
For injected spam pages that should not exist, the cleaned site should return either:
- 404 Not Found — the page does not exist
- 410 Gone — the page is intentionally gone
Google has stated that removed pages should return a 404 or 410 status code.
For hacked spam URLs, a 410 Gone response can be useful when you know the URL pattern should never exist again. It sends a clearer signal that the page is permanently gone.
Avoid redirecting hacked spam pages to the homepage. Redirecting thousands of spam URLs to the homepage can create confusing signals and may look like soft-404 behavior. In most cases, 404 or 410 is the cleaner option.
Use 410 Rules for Known Spam Patterns
If the injected spam URLs follow a predictable pattern, you can return 410 Gone for those URLs.
Example Apache rule:
# Return 410 Gone for hacked index.php query spam pattern
RewriteEngine On
RewriteCond %{THE_REQUEST} \s/+index\.php\? [NC]
RewriteRule ^index\.php$ - [G,L]
Use rules carefully. Test before applying them to a production site, especially if your website uses query strings for legitimate functionality.
For Nginx, this type of rule should be added in the server configuration by an experienced admin:
location = /index.php {
if ($args ~ ".+") {
return 410;
}
}
This example is intentionally broad and may not fit every website. If your WordPress site uses legitimate query strings on index.php, use a narrower pattern.
SiteFort can help with this process by identifying suspicious requests, monitoring repeated 404 probes, logging blocked activity, and helping apply firewall or hardening rules without relying only on manual server edits.
Submit a Clean Sitemap
After removing spam sitemaps and cleaning hacked URLs, submit a clean sitemap in Google Search Console.
Your sitemap should only include legitimate, indexable pages.
Check that:
- Spam sitemap files are removed
- Only current legitimate sitemap URLs are submitted
- Important pages return 200 OK
- Removed spam pages return 404 or 410
- Canonical tags point to correct URLs
- Noindex tags are not accidentally applied to important pages
A clean sitemap helps Google focus on the real pages you want indexed.
Request Recrawling for Important Pages
If important pages had hacked titles, snippets, or cached spam content, inspect those URLs in Search Console and request indexing after cleanup.
Google’s URL Inspection tool can be used to request recrawling for pages you manage, though recrawling is not immediate or guaranteed.
Use this for important pages such as:
- Homepage
- Service pages
- Product pages
- Contact page
- High-traffic blog posts
- Pages that previously showed hacked snippets
Check Security Issues and Manual Actions
In Google Search Console, check both:
- Security issues
- Manual actions
If Google shows a hacked-site warning or manual action, fix the issue completely before requesting review.
Google has historically recommended submitting a reconsideration request after cleaning a hacked site when a warning or manual action exists.
In your review request, explain what was fixed. For example:
- Removed injected spam pages
- Removed malicious files and backdoors
- Removed unauthorized users
- Removed spam sitemaps
- Updated vulnerable plugins and themes
- Reset passwords
- Added firewall, hardening, malware scanning, and monitoring
Prevent Spam Pages from Returning
Removing spam from Google is only one part of recovery. The bigger goal is preventing reinfection.
After cleanup, secure the WordPress site with layered protection:
- Update WordPress core, plugins, and themes
- Remove nulled or abandoned plugins and themes
- Reset all admin and hosting credentials
- Enable two-factor authentication
- Use strong passwords
- Remove unknown admin users
- Disable file editing in WordPress admin
- Block PHP execution in uploads where possible
- Protect sensitive files
- Use a WordPress firewall
- Monitor vulnerabilities
- Scan for malware and backdoors regularly
- Review activity and firewall logs
SiteFort Security Plugin is built for this type of WordPress recovery and prevention workflow. It brings malware scanning, firewall protection, bot blocking, login security, 2FA, vulnerability alerts, hardening, audit logs, and Cloudflare Sync into one dashboard.
You can also run a quick external check with the Securewp Online Security Checker to review visible security issues, blacklist status, malware indicators, and other public-facing risks.
Final Thoughts
Injected spam pages can damage search visibility, visitor trust, and brand reputation. But the fix is manageable when you follow the right order.
First, clean and secure the WordPress site. Then remove unauthorized Search Console users and spam sitemaps. Use the Google Search Console Removals tool for urgent temporary cleanup. Make the removal permanent by returning proper 404 or 410 status codes for spam URLs. Submit a clean sitemap and request recrawling for important pages.
Most importantly, make sure the original hack is fully resolved. If a backdoor, vulnerable plugin, or compromised admin account remains, the spam pages can return.
For ongoing protection, SiteFort can help secure WordPress with hardening, firewall rules, bot blocking, login protection, malware scanning, vulnerability monitoring, audit logs, and Cloudflare Sync.
If your site has already been hacked and keeps showing spam pages in Google, our WordPress malware removal service can help clean the infection and reduce the risk of reinfection.