How We Cleaned a Hacked WordPress Site from 3.45M ‘Matbet’ SEO Spam (And How You Can Prevent It)
Have you suddenly noticed your website’s traffic explode for no reason? Are you seeing strange keywords like “matbet” in your Google Search Console?
If so, your WordPress site might be a victim of a massive SEO spam attack.
One of our clients recently faced this exact problem. Their site’s impressions skyrocketed from 100 to over 3.45 million in a few days. Here’s a breakdown of the hack and the steps we took to fix it.
The Warning Signs: How the Hack Was Found
The client knew something was wrong when they saw these two red flags.
- Massive Traffic Spike: Google Search Console reported a jump to 3.45 million impressions and 81.5K clicks, all from keywords they don’t target. The graph looked unbelievable.
- Spammy Keywords: The top search query for their site was “matbet,” a common gambling term, along with thousands of variations. Google was flooded with them.
This is a classic “cloaking” attack. The hackers use your website’s good reputation to rank for their spammy keywords, while hiding the spam from you and your normal visitors.
Our Investigation: What the Hackers Did
When we dug into the website’s files, we found a multi-level infection.
- Fake Plugins = Backdoors: The hackers installed several fake plugins. They looked harmless, but they were actually backdoors that gave the attackers full access to the site at any time.
- Infected Core Files: Key files, like
index.php, were modified. The malicious code would show the real site to you, but show spam pages to Google’s search bots. - Hidden Admin Accounts: To make sure they kept control, the attackers created their own hidden administrator accounts.
How We Fixed the ‘Matbet’ Infection (Step-by-Step)
Cleaning this kind of infection requires a careful, step-by-step process. Here is what we did:
- Removed All Backdoors: We immediately identified and deleted the fake plugins to cut off the hackers’ easiest way in.
- Replaced All WordPress Core Files: You can’t just edit infected files. We downloaded a fresh, clean copy of WordPress from WordPress.org and used it to replace the site’s entire
wp-adminandwp-includesfolders. This completely removed all infections from the core files. - Ran a Deep Malware Scan: We used Wordfence to run a high-sensitivity scan, which found more infected files in the
wp-contentfolder (inside theme and upload folders). We removed all of these. - Secured All User Accounts: We audited the user list, deleted the hidden admin accounts, and forced a password reset for all legitimate users.
After the Hack: Securing the Site for Good
The site is now 100% clean. But the job isn’t done. Here are the final steps for recovery:
-
Telling Google It’s Clean: We are using Google Search Console to submit an updated sitemap. We also use the “Inspect URL” tool for the main affected pages and manually request re-indexing. This tells Google to re-crawl the site and clear the “matbet” pages from the search results faster.
- Website Hardening: We’ve added extra security layers, like two-factor authentication (2FA) and limiting login attempts, to prevent this from happening again.
How You Can Prevent This
While no site is 100% unhackable, you can make it much harder for attackers.
- Keep Your Site Up-to-Date: This is the most important rule. Always update your WordPress core, plugins, and themes as soon as new versions are available.
- Use Strong, Unique Passwords: Avoid “admin” as a username and use a password manager to create complex passwords for all your admin accounts.
- Regularly Scan Your Site: Use a good security plugin (like Wordfence) to run regular malware scans and monitor file changes.
Is Your Site Behaving Strangely?
If you’re seeing sudden traffic spikes or strange keywords in your analytics, don’t wait. A spam hack like this can destroy your website’s reputation and get you blacklisted by Google.
If you suspect your site is hacked, contact us today. We specialize in finding and removing WordPress malware fast.
