Infected With Spam Link Injection? Here’s How You Can Fix Your WordPress Site

13th October 2020

WordPress Maintenance Services UK Spam Link Injection

Imagine opening your WordPress site and seeing it infested with spam links! If this has happened to you, then you are the victim of spam link injection – one of the sneakiest and most well-disguised hacks out there. 

Now, you could spend your entire day manually removing these links from all your webpages – only to see them return in a few days. We know how frustrating this can be. This is why in this article, we’ll show you the best method of removing spam injections from your site. We’ll also see how you can prevent such website attacks in the future. 

But first, let’s see exactly what hackers do to your infected website – using spam link injections.

WordPress spam link injection is a hacker’s malicious attempt to infect your top-ranked website pages. By inserting spam links into your website page, hackers try to redirect your website users to their spam websites. They do this to gain a higher ranking for their website pages on any search engine ranking page or SERP. 

Here are what hackers do with your infected website:

  • Insert spam hyperlinks into website pages. When your users click on these links, they are redirected to unsolicited or spam websites. On other occasions, they insert the spam hyperlinks directly into your database. These links are mostly directed at illegitimate websites selling illegal pharma products. 
  • Send spam emails to your customers or users – as another form of phishing attacks.
  • Display online banners or digital ads for unsolicited products or services on your website.
  • Create hundreds or thousands of new web pages on your website.

How does this hack affect your online business? Well, the most direct impact is on your SEO ranking. It may have taken you months or even years to get a higher rank for your website on Google or other search engines. All that effort is wiped out in a matter of days. Besides, your site could be suspended by your web hosting company, or even blacklisted by Google.

Spam Link Injection

This is serious business. So, let’s understand how you go about fixing a website infected by spam link injections. 

As mentioned earlier, it is an arduous task to remove every spam link from your website and database files. To effectively clean your infected site, you can use either of the following methods:

  • Automatically: using a security plugin or tool
  • Manually: through manual scanning and cleanup of your site and database

Next, let us look at each of these methods in detail –  along with their pros and cons.

Method 1 – Automatically Using a Security Plugin

This is a much faster method of detecting and cleaning your site from any spam link injections. Once you have installed the security plugin, the automatic process can be completed in less than 5 minutes.

Thanks to WordPress’s global popularity, there are several free and paid WordPress security plugins available in the market. While we do not recommend free plugins, you can always opt for paid tools like Sucuri, Wordfence, or MalCare. The best part about these tools is that they are easy to install and use – even for novice users with minimal WordPress technical know-how. 


For example, here is how you can use the MalCare security plugin for your website:

  1. Register with MalCare using your email address.
  2. Next, log into the MalCare dashboard using the registration link sent to your email address.
  3. Specify your website URL, then install the MalCare plugin automatically.
  4. Once the plugin is installed, it will automatically scan your specified website for any infections. 
  5. All you need to do next is to click “Auto-Clean,” and the tool will take care of all your infected files – and clean your entire website and database.
WordPress spam link injection

This entire process would not take more than 5 minutes. So, in just a few minutes, you can get rid of all those spam link injections from your website. 

Site Clean

From our experience, we recommend the MalCare tool as it can find all spam links in just a few minutes – irrespective of the size of your website or database.

Method 2 – Manual Scanning and Cleaning

As compared to using a security plugin, the manual method of scanning and cleaning is far more technical and requires you to have more advanced WordPress know-how – for troubleshooting in case things go wrong.

Here are the steps that you need to perform to scan and remove the spam link infection from your site:

  1. The first step is to take a complete backup of your site and database. This step is necessary to avoid the risk of losing all your website files if your manual process runs into any problem. 

For easy backups, you can install and use a backup plugin like BlogVault designed especially for WordPress websites. 

  1. Next, log into your host account and navigate to the “File Manager” tool in cPanel. Using your File Manager, open the “public_html” folder, which is the WP installation folder.
Manual Removal

Here, you can view three crucial folders – wp-admin, wp-includes, and wp-content – that hackers commonly target to insert spam links.

  1. Next, you need to search for any spam link codes in every file located in these three installation folders. 
  2. Once you find them, you need to delete them from the file.

This should take care of all your spam links directly present on your site. 

  1. The next step is to check for spam links inserted into your database. For that, open the phpMyAdmin tool from your host’s cPanel tool.
Manual Database Export
  1. Select and export your database file to be downloaded on your computer.
  2. Open the database file as a text file – and search for PHP functions like base64_decode, eval, or gzinflate – that hackers commonly use to infect with malicious code.
  3. Finally, you can clean your database by finding and removing any malicious code from these functions or deleting the infected database record.
  4. Import the clean database file back to your site using the phpMyAdmin tool.

As you can see, the manual method is rather complicated and time-consuming. 

After getting rid of the spam link injection, you have to ensure that your website is never infected again. Next, we shall list some preventive measures to avoid any future attacks on your site

How to Prevent Future Attacks on Your Website

To prevent future spam link injections on your site, we recommend that you implement the following preventive measures on your site and the WP Core, installed plugins/themes, and your hosting:

  • WordPress site: 
  • Update your WP version to the latest available version.
  • Enforce the use of strong user credentials for all your users – including admin users.
  • Invest in a reliable backup tool like BlogVault.
  • Protect your login page by implementing two-factor authentication and limiting the number of failed logins using the CAPTCHA tool.
  • Limit the number of users with “admin” privileges – and assign lesser user roles (like subscriber or editor) to other users.
  • Use hardening measures like disabling file editors or changing your security keys.
  • WordPress plugins/themes:
    • Update each plugin/theme to the latest available version.
    • Remove any unused or abandoned plugins/themes from your installation.
    • Always download all your plugins/themes from trusted sources – and never use nulled or pirated plugins/themes.
  • WordPress hosting:
    • If your website is currently hosted on a shared host, consider moving it to a more secure managed hosting platform.

Final Thoughts

As discussed, spam link injections are among the common types of attacks hackers launch on the site. Considering the effect they have on your website’s SEO ranking, it’s important that you are equipped with the knowledge and tools to remove and prevent these hacks on your site. 

The immediate step in case of a hack is to clean your site. Manual scanning and cleaning methods are quite complicated – and not suited for non-technical WP users. On the other hand, a security plugin is easy to implement and saves you both time and effort.

As a step further, we highly recommend investing in a WordPress security plugin to prevent any future attacks on your site. In fact, most plugins even offer most of the preventive measures listed in this article integrated into their offerings. Or, you could invest in an affordable WordPress support and maintenance service like ThriveWP for businesses of all sizes – that does all this and more for you. 

Have you had an experience with a spam hack? We would love to hear from you.  Share your comments, suggestions or any questions you have – and we will respond to you in good time.

Gavin Pedley

Gavin Pedley

Gavin is the guy behind the award-winning ThriveWP. He has over 18 years of experience creating, developing, hosting and managing WordPress websites.

Gavin regularly shares his expertise via the ThriveWP blog and Youtube channel, where he creates informative and helpful WordPress tutorial videos.

Connect with Gavin on FacebookLinkedin or Twitter.

Share this article

Subscribe to receive articles right in your inbox

Get Your Free Guide On Keeping Your WordPress Website Safe

Subscribe to learn how to keep your WordPress website safe, starting with this free guide. Unsubscribe with one click at any time.

We hate SPAM and promise to keep your email address safe. Here’s our privacy policy.


Three amazing products that will enhance your website performance, ranking and maximise your income! Our eBook offer includes three eBooks in one bundle.

We hate SPAM and promise to keep your email address safe. Here’s our privacy policy.