Hi everyone,
My client’s WordPress site got attacked by one of those Japanese spam SEO hacks. The damage was pretty bad - Google indexed around 135,000 fake pages in just a couple of days.
Here’s what I’ve done so far to fix it:
- Restored the site from a clean local backup
- Completely removed the old WordPress database
- Updated robots.txt to block the spam pages (most URLs begin with /shopdetail/)
- Modified .htaccess to show 404 errors for everything except the main page
- Used Google Search Console to request temporary removal of all URLs containing /shopdetail/
Right now the homepage is the only working page on the site. Do these recovery steps look correct? What other actions should I take to make the cleanup process faster? I want to make sure Google removes all those spam pages as quickly as possible.
Thanks for any advice!
I went through something similar last year and one crucial step you might be missing is checking your wp-config.php file and any recently modified theme files. These attacks often inject malicious code into core WordPress files that can regenerate the spam content even after a restore.
Also consider temporarily enabling maintenance mode while you rebuild instead of showing 404s for everything except the homepage. This gives you breathing room to properly restore your legitimate pages without confusing Google’s crawlers about what content is actually supposed to exist.
From my experience the Google removal requests help but they expire after 90 days. The real solution is getting your authentic content back online quickly so Google can recrawl and understand the site structure again. I’d also recommend monitoring your Search Console crawl errors closely over the next few weeks to catch any lingering issues before they become bigger problems.
Been through this exact nightmare twice with client sites over the past few years. Your approach looks solid but I’d recommend getting those legitimate pages back online sooner rather than later. Google needs to see your real content to understand what belongs and what doesn’t.
One thing that really helped in my experience was checking the server logs to see if there were any unusual file uploads or modifications around the time of the attack. Sometimes these hacks leave behind dormant scripts that can reactivate later. Also worth running a deep scan with a security plugin like Wordfence to catch anything the backup restore might have missed.
The removal requests through Search Console are good but they’re temporary. Focus on getting your authentic content restored and resubmitted quickly so Google can start reindexing the legitimate stuff. The spam will eventually drop out naturally once Google sees the 404s, but having your real pages active speeds up the whole recovery process significantly.
sounds like your doing most things right but dont forget to submit a clean sitemap thru search console once you get your real pages back up. also maybe check if theres any wierd redirects still lurking in your htaccess that could be leftover from the hack