-
My site got hacked, 2300 spam pages were injected and Google indexed them! what can I do now?
Posted by on February 3, 2026 at 12:40 pmSo I know it sounds bad, and it is. I have a small business specialized in event parties. I basically worked on my SEO and local SEO for the last two years with great results. I’m still not making a living from it, but enough for a part-time income.
The thing is, one day in December I logged into Search Console and discovered more than 2300 indexed pages, all redirecting to a super spammy dropshipping website selling clothes.
This is how I discovered a backdoor on my website. Long story short, I think I fell for a phishing scam… Totally my fault, I know.
I redirected all the spammy pages to 401 (I read somewhere that Google reindexes 401 more frequently than 404), resubmitted all my official pages to Search Console for indexation, and cleaned the project. No suspicious files or modifications have been detected since this fix.
The problem is, as you can expect, my impressions and clicks dropped almost to zero. I lost all my hard work, and I’m feeling really stupid right now.
Still, I’m convinced that my business offers activities that will remain trendy in the future, so even if it takes months or years to rebuild, I want to do it. The games I sell are already functional and unique in my area, new products are coming soon, and I have a pretty niche business.
The thing is, Google is deindexing the pages very slowly. From the 2300 pages, it deindexed maybe 500 the first month and 300 the second. Now I still have around 1700 spammy pages indexed and I don’t know what to do. I tried the content removal tool, but I can only submit about 10 pages per day.
My question is: what can I do now? Just wait for Google to finally deindex the spammy pages and continue producing new, high-quality content for the website?
Is buying a new domain name, redirecting the pages from the old one, and starting fresh a better option?
If so, can I simply create a new website with WordPress and save everything, or should I add the pages and blog posts one by one to the new website?If you have any experience or better ideas, I’m in.
To add context: the name of my business is not really important. My clients don’t find me using my brand name, but because I solve a problem they’re looking for.
Any help would be very appreciated. And yes, I know I made a huge mistake, don’t be too harsh, please.
-
1 Reply
-
Its called Japanese keyword hack my sites were hacked too and honestly there aint too many people showing how to do it. i manually deleted these files yesterday but today they just regenerated themselves again
-
It happens. Just clean everything. You can’t do anything else. I’m dealing with this exact scenario at least few times per year on different clients and they are recovering always. Timeframe is different but…
-
[removed]
-
first things first, secure your site right now. change all passwords, enable two-factor auth everywhere, and run a full malware scan with something like Sucuri or Wordfence. once that’s done, delete every single one of those 2300 spam pages manually or with a script if you’re technical. then head to google search console, verify your site if you haven’t, and use the removal tool to request deindexing of those urls. it might take a few days but it’ll speed things up. also, add noindex tags to any pages you can’t delete immediately. after cleanup, submit a revised sitemap without the junk and request a recrawl. monitor your backlinks too, disavow any spammy ones pointing to those pages. if it’s a wordpress site, update everything and consider a security plugin like iThemes Security. this should get google to forget the spam fast, but stay vigilant bc hackers love easy targets.
-
First secure your website and load the backup if you have any from before the pages were injected
-
As per my understanding your official website pages was also deleted by hacker? And you should mention your site domain age and DA-PA? Also does it have lots of high-quality backlinks?
Still based on details I am trying to tell what can be done in such panic situation.
First of all, though you stated that you cleaned the bad files. Still my suggestion will be reinstall WordPress.
Whatever you read about 401 is right, but why Google frequently retry these pages is different. 404 means Unauthorized, Googlebot retries these URLs thinking pages have permission configuration error.
So you should first list all spammy pages still indexed, then instead of 401, change status header to 410. Create temp sitemap like spam_sitemap.xml and submit it to GSC.
And about starting from fresh, I don’t agree to go with new domain. Even if you 301 redirect it still lose some authority, and currently authority matters.
After deindexing spammy pages, in few months you will get on track again. It will take few months because of spamming Google may sandbox the site for some time.
-
Happened with me as well. Just that it wasn’t hacked, it was a lot of user-generated spam content still happening. What I did was add multiple checks in terms of how people can add those content pages. And second most importantly, I cleaned up all those pages and returned 410 so that whenever Google crawls there next time, it gets to know that that page is gone.
-
Clean the site to remove the bad URLs. The bad URLs on the site should deliver a 404 or 410 error.
Use the Google removal tool to remove them from the index. They should be removed within about 24 hours, sometimes quicker than that.
-
[removed]
-
[removed]
-
Remove the pages and submit a request to be reindexed within Google Search Console.
You need to be sure you’ve found the backdoor – it sounds like a pretty common black hat link farming hack. Probably a piece of malware that brute forces usernames/passwords, then spins up blogs or pages pointing to casinos, porn, etc.
Change all user passwords immediately, remove any unneeded users, set up security plugins, and engage a security firm in auditing and cleaning your site.
-
[removed]
-
WordPress website?
-
after you have the site security – set the bad URLs to `410 Gone` and reindex.
Log in to reply.