4 Years of Injected SPAM on a WordPress Site: A Real-Life Case Study

Imagine the shock of discovering years of hidden injected content on your business’s WordPress site during a routine upgrade. This nightmare came true for one of my clients who had been operating their small, yet successful, service industry website. Little did they know that their primary source of revenue was compromised.

Unusual Page Titles: the Biggest Red Flag

It all began when I suggested conducting an SEO audit to help improve their website’s organic rankings. As I delved into the audit, I stumbled upon several peculiar page titles and slugs. They seemed to have no connection whatsoever to their industry.

Invisible Spam Content

Further investigation revealed the startling truth: dozens of pages had been injected with spam content. Topics ranged from prescription drugs and alcohol to adult content.

What made the situation even more bizarre was that this content remained hidden within the WordPress Dashboard, yet was being served and indexed.

To confirm my suspicions, I checked Google Search Console and Ahrefs, both of which confirmed the presence of this mysterious content.

Discovering the Hacker’s File: A Four-Year-Old Compromise

Once I accessed the site via FTP, I discovered a hacker’s PHP file containing obfuscated code in the root directory. The file, dating back to 2019, exposed a long-standing compromise—four years of malware lurking in the shadows.

Despite the web host providing SiteLock for free, this automated tool had failed to protect the site, highlighting the risks of relying solely on automated security measures.

Migrating to a Different Hosting Provider and Rebuilding the Site

After discussing various options, my client and I agreed to switch to SiteGround, my preferred web hosting provider. We decided it was best to rebuild the site from scratch, manually transferring only the essential content.

I developed the new site on a staging WordPress installation at SiteGround while the old site remained live. Upon receiving the client’s approval on the new site, I completed the migration and disposed of the old, compromised website.

Comparing Website Performance: Old vs New

Before the overhaul, the client’s website was struggling with performance, as evidenced by scores from GTmetrix and Google PageSpeed Insights.

In GTmetrix, the homepage had a D Grade, with a 55% Performance score, 83% Structure score, 3.7 seconds Largest Contentful Paint (LCP), and a 0.13 Cumulative Layout Shift (CLS).

In Google PageSpeed Insights, the old website failed the Core Web Vitals Assessment for both mobile and desktop.

On mobile, the report showed a performance score of 74, accessibility at 94, best practices at 83, and SEO at 82. The First Contentful Paint (FCP) took 3.6 seconds, Speed Index was at 9.6 seconds, and LCP was 3.7 seconds.

On desktop, performance scored 80, accessibility 94, best practices 83, and SEO 83. FCP was 1.0 second, Speed Index 2.9 seconds, LCP 1.5 seconds, and CLS was 0.16.

Given a reasonable timeframe, I optimized the new website to the best of my abilities, resulting in significant improvements.

In GTmetrix, the new website’s homepage boasts an A Grade, 100% Performance score, 100% Structure score, 0.5 seconds LCP, and 0 CLS.

In Google PageSpeed Insights, the new website passes the Core Web Vitals Assessment on both mobile and desktop.

On mobile, the report shows performance at 93, accessibility at 100, best practices at 100, and SEO at 100. FCP is 1.1 seconds, Speed Index 3.5 seconds, and LCP 3.0 seconds.

On desktop, performance scored 95, accessibility 100, best practices 100, and SEO 100. FCP is 0.3 seconds, Speed Index 1.8 seconds, LCP 1.0 seconds, and CLS is 0.001.

These results demonstrate a major improvement in the website’s performance, even when working with limited resources.

Monitoring the Site’s Performance: The Road to Recovery

Moving forward, I will keep an eye on the site’s performance for the next few months. I’ll be using Google Search Console, Google Business Profile, and Ahrefs to track changes in organic rankings and conversion rates.

Stay Vigilant and Perform Regular Checks

This cautionary tale serves as a reminder for all website owners to remain vigilant. While some hackers may brazenly deface sites, others discreetly inject malware, ads, spam content, or spammy backlinks. Regular manual checks, performed by a professional, are essential for safeguarding your site and protecting your business.

About the Author

Dumitru Brinzan is a professional WordPress developer from Germany. He assists small and medium businesses with WordPress website creation, website support, technical SEO, WordPress coaching, and consulting. With his expertise, business owners can focus on what they do best while knowing their site is in good hands.