When your website suddenly gets hit with hidden spammy backlinks, it can be disastrous. At best, your Google rankings tank and traffic gets cut in half. At worst, your site gets flagged as “dangerous” and blacklisted entirely.
By the time most site owners notice something’s wrong, they’ve already missed the golden window to fix it — and randomly deleting pages or shutting down your server only makes things worse.
As hands-on SEO practitioners with 8 years of experience, we’ve handled over 60 hidden backlink intrusion cases and developed a standardized “72-hour damage control + fast ranking recovery” process.
From pinpointing the exact location of the hidden links (like catching redirect codes with Screaming Frog), to manually removing them and submitting recovery evidence to Google (real template included), to publishing “trust content” that neutralizes bad backlinks — every step hinges on hitting 3 critical time points (24 hours / 3 days / 7 days).
Important tip: If your site’s top keywords dropped more than 10 positions in the past 7 days, and you’re seeing URLs with “?redirect=casino” in your indexed pages, chances are high you’ve been hacked. Jump straight into section one and start checking.
Has your site really been hit with hidden links?
Hidden backlinks don’t pop up warning messages or crash your site — and that’s exactly what makes them so dangerous.
Most site owners don’t realize anything’s wrong until their Google rankings have dropped by over 50%. By then, the malicious links may have been live for weeks, and Google might have already flagged your site as “malicious.”
From our experience, 70% of hidden links are buried in image folders, old post pages, or JS scripts — nearly impossible to spot with the naked eye.
I’ll show you how to find those “parasite links” in under 10 minutes using low-cost tools — no coding skills needed.
Google Search Console: Check for official warnings
- Go to “Security & Manual Actions” → “Manual Actions” report. If you see a red warning like “Unnatural links” or “Hacked content”, it’s a clear sign you’ve been hit.
- Watch out for traps: Some hackers spoof a “no issues” status — click on “Security Issues” → “View Sample Pages” and manually inspect the flagged URLs for redirect code (like
<meta http-equiv="refresh" content="0;url=gamblingsite.com">).
Webmaster tools: Scan for hidden redirect codes
Use Screaming Frog (free version crawls up to 500 URLs) and filter based on:
- Pages with suspiciously high external links (more than 10 links per page = red flag)
- Links using “style=display:none” (like
<a href="/en/gamblingsite.com/" style="display:none">in the code) - Pages loading third-party JS files (check for
<script src="http://weird-domain.js">)
Quick check: Use the Chrome extension Link Redirect Trace to track real-time 301 redirects to gambling domains.
Search engine index: Uncover “shadow pages”
Search on Google using:
site:yourdomain.com intitle:casino/lottery/adult
site:yourdomain.com inurl:.php?ref=If you see content you never created (like “Online Casino Deals”), it means hackers have injected spammy pages into your site.
Ultimate check: Look through your server logs (path: /var/log/apache2/access.log) and search for “.php?” to find suspicious traffic — like repeated POST requests from Vietnam or Ukraine IPs.
Key tip: If you find most of the hidden links in folders like /wp-content/uploads/2023/, hackers likely used a media upload vulnerability to sneak in code. Check for image filenames containing weird code like <?php eval(.
3 steps to completely clean out hidden links
Once you find them, the first 72 hours are critical to stop the damage. Many site owners rush to delete pages or reinstall everything — but that just triggers a Google “content volatility” penalty and makes it worse.
Based on 60+ real-world cases, you must follow the principle: “Collect evidence first, clean as you go, submit fixes in parallel.”
1. Full site backup: Prevent accidental loss of key data
Must-backup directories:
/wp-content/uploads/(look closely for image files hiding PHP code)/wp-includes/js/(check if files like jquery-migrate.min.js have been tampered with)
Recommended tools:
- Use BT Panel (BaoTa) to create a one-click full backup (including database export)
- Use the Duplicator plugin to generate a full site package (automatically skips cache files)
2. Manually Remove Malicious Code (with High-Risk Patterns)
Globally search for these keywords:
eval(base64_decode('encrypted string'));
$k="hacker password";error_reporting(0);
<iframe src="http://malicious-domain" style="visibility: hidden;"> Files to Check First:
.htaccess(Check if it contains something likeRewriteRule ^.*$ http://gambling-site [R=301,L])header.php/footer.php(Look for suspicious JS calls, likedocument.write(")
Helpful Tools:
Use D-Shield (D_Safe) to scan your server — it’ll automatically flag files using dangerous functions like system() or passthru().
3. Block Entry Points: Prevent Reinfection
- Change Your Admin Login URL (for WordPress):
Install the plugin WPS Hide Login to change/wp-admin/to something custom (like/mylogin-2024/). - Urgently Patch Vulnerabilities:
- Update all plugins to the latest versions (use WPScan to check for known vulnerable plugins)
- Delete unused themes and plugins (especially suspiciously named ones like
wp-seo-optimize)
- Harden Server Permissions:bashCopy
# Prevent PHP execution in upload directories find /your-site-path/wp-content/uploads/ -type f -name "*.php" -exec rm -f {} \; chmod 644 .htaccess # Restrict write permissions
Key Tip: Right after cleaning, run a full site scan with the Link Redirect Trace plugin to ensure no redirect code is left. If hidden links are stored in the database (like encrypted code in the wp_posts table’s post_content field), use the Adminer tool to run the following SQL command:
UPDATE wp_posts SET post_content = REPLACE(post_content, 'malicious code snippet', ''); Submit a Reconsideration Request to Google
Cleaning the hidden links is just step one. Submitting a valid reconsideration request to Google within 48 hours is key to recovering your rankings.
90% of site owners fail because of “insufficient evidence” or “wrong wording,” which can even trigger a second manual review (delaying recovery by 3–6 months).
I provide reusable English message templates and an evidence package that boosts approval chances by 80%.
1. Submit a “Manual Action” reconsideration request in Search Console
Navigation path:
Go to “Security & Manual Actions” → “Manual Actions” → Click “Request Review”.
English message template (replace red parts):
We have removed all spammy backlinks injected by hackers:
1. Deleted malicious codes in .htaccess and footer.php (see screenshot_1.png).
2. Blocked 142 suspicious IPs from Vietnam/Ukraine (access.log attached).
3. Fixed the vulnerability via updating plugins (e.g. Elementor from 3.6 to 3.19).
Request to revoke the manual penalty. Must-have attachments:
- Before/after code comparison screenshots (use WinMerge to compare files)
- Server logs showing blocked malicious IPs (include time, IP, attack path)
- Screaming Frog full site external link scan report (export as PDF)
2. Handle the “Security Issues” report at the same time
Go to “Security Issues” → Check all hacked pages → Click “Mark as Fixed”.
Speed up indexing tips:
Use the URL Inspection Tool → Enter the hacked URL → Click “Request Indexing” (max 50 URLs per day).
3. Hidden tips to avoid reconsideration failure
- Don’t use apology language like “We apologize” (Google sees it as avoiding responsibility). Stick to factual descriptions instead.
- Attach third-party security reports (like from Sucuri or SiteCheck) to prove your site is clean.
Keep publishing new content:
Post 2 original articles within 24 hours of submitting the review request (Google sees this as an “active maintenance” signal).
Key Tip: If Google hasn’t replied after 7 days, go to “Search Appearance → Crawl Optimization” and resubmit sitemap.xml. In the note field, emphasize: “Malware cleaned up, please recrawl critical pages like /contact-us/ and /blog/”.
If the manual action warning isn’t lifted, resubmit the same evidence after 28 days (this avoids triggering the Spam filter).
Low-Cost Protection Setup Checklist
“High protection cost” is the biggest myth—80% of hacks exploit outdated plugins, weak passwords, default admin paths, and other basic flaws.
We’ve helped clients block over 20,000 attacks a year on a budget of under 500 RMB.
Even with just basic server skills, you can fully secure your site in an hour.
1. The Basic Security Trio (Free)
Real-time File Monitoring:
- Use Baota Panel’s “File Tamper Protection” (free) to lock
wp-config.php,.htaccess, etc. Any change triggers SMS alerts.
Brute-force Attack Blocking:
- Install Wordfence (Free Version) → Turn on “Live Traffic Monitoring” to auto-block IPs that fail login more than 5 times in 15 minutes.
Automatic Cloud Backups:
- Use UpdraftPlus to schedule daily backups to Google Drive (keep 7 versions). If hacked, you can roll back to a clean version instantly.
2. Critical Server Settings You Must Change
Disable Dangerous PHP Functions:
Edit the php.ini file and add the following to disable_functions:
system,exec,passthru,shell_exec,proc_open,curl_multi_exec Restrict Upload Directory Permissions:
# Prevent PHP execution in /uploads/
find /your-site-path/wp-content/uploads/ -type f -name "*.php" -delete
chmod -R 755 /your-site-path/wp-content/uploads/ Hide Server Info:
Add this at the top of your .htaccess file:
ServerSignature Off
Header unset X-Powered-By 3. Firewall Rules (Monthly Cost ≤ $20)
Cloudflare Free Plan Setup:
- Rule 1: Challenge all access containing
/wp-admin/orxmlrpc.php(except from whitelisted IPs) - Rule 2: Block requests with User-Agent containing
sqlmapornmap
Block High-Risk Country IP Ranges:
In the BT Panel “Firewall”, add the following block rules:
Vietnam: 14.224.0.0/11
Russia: 46.161.0.0/18
Ukraine: 37.52.0.0/14 Pro Tip: Run a vulnerability scan with WPScan every quarter (command: wpscan --url your-domain --api-token your-token). Prioritize fixing plugins with medium-high or higher risk levels. If you’re using Nginx, make sure to add this to your config:
location ~* ^/(uploads|wp-content)/.*\.(php|php5|phtml)$ {
deny all;
} (This completely stops PHP code execution from malicious image files)
Never rely on “one-click security plugins” — we analyzed 13 popular ones, and 9 had major issues like over-permission or accidental file deletion. Manual setup (like .htaccess rules and server permissions) is the only way to stay in control.
