Website hacks are not always obvious. Sometimes the homepage looks normal, the WordPress dashboard still works, and the site owner has no idea anything is wrong. But behind the scenes, malicious files can inject spam pages, manipulate SEO signals, and quietly damage rankings.In this case, I cleaned a hacked WordPress website hosted on Hostinger that had been infected with cloaking malware. The infection included a suspicious PHP file placed in the root directory, along with hidden fake plugins used to maintain persistence inside the WordPress installation. The visible website looked mostly normal, but the hacked files were clearly designed to push spam content and abuse the website’s SEO authority.
I’ve fixed over 4,500 hacked WordPress websites, and this type of infection is a good example of how modern WordPress malware often hides behind SEO spam rather than obvious defacement.
Quick Summary of the Incident
- The infected website was hosted on Hostinger
- A malicious file named
cloak.phpwas found in the root directory insidepublic_html - The file contained Turkish gambling-related spam content
- The code included suspicious canonical and hreflang tags
- Hidden fake plugins were discovered later during the cleanup
- The infection was removed manually and the website was hardened afterward
This was a classic WordPress cloaking malware and SEO spam case. The attackers were trying to use a legitimate website’s authority to publish or serve unrelated spam content.
How I Found the Malware
The first red flag appeared during a manual review of the file structure in the Hostinger file manager. Inside the root directory of the site, specifically under public_html, I found a suspicious file named cloak.php.
That file name alone was enough to justify a deeper inspection. Once I opened it, it was clear that it was not part of a normal WordPress installation, theme, or plugin.
The file contained a full HTML page built around Turkish gambling spam. It included:
- A spam-heavy page title
- Keyword-stuffed meta tags
- A suspicious canonical tag
- Multiple hreflang references pointing to unrelated external domains
- Promotional sections, FAQs, and calls to action
This was not random code injection. It was a deliberately crafted spam landing page designed for SEO abuse.
Why This Infection Was Dangerous
Many website owners assume malware only matters when the site crashes, redirects visitors, or shows visible warnings. In reality, a hacked WordPress site can stay online and look fine while silently losing trust in search engines.
In this case, the cloaking malware could have been used to:
- Create indexable spam pages on the hacked domain
- Hijack search visibility for unrelated gambling keywords
- Manipulate canonical and hreflang signals
- Damage the website’s trust and rankings over time
- Maintain access through hidden fake plugins
This kind of hacked WordPress SEO spam infection is especially dangerous because the site owner may not notice it until rankings drop or spam pages begin appearing in Google.
What the Malware Was Doing
After reviewing the malicious file, the pattern was clear. The attackers had placed a root-level PHP file that served a polished spam page built around gambling-related keywords. Instead of using obvious gibberish or a simple redirect, they used structured content that looked like a real landing page.
The purpose of that approach is usually one or more of the following:
- To get spam pages indexed by search engines
- To exploit the authority of an existing website
- To hide the infection from non-technical users
- To support cloaking or selective spam delivery
That is why this case fits the pattern of WordPress cloaking malware removal rather than a basic file cleanup.
The Hidden Fake Plugins Problem
Finding the malicious cloak.php file was only the first step. During deeper inspection, I also found hidden fake plugins inside the WordPress site.
This is a critical detail because fake plugins are often used as persistence mechanisms. In other words, even if the obvious malware file is removed, the infection can come back if the hidden plugin is still active.
Hidden fake plugins may be used to:
- Recreate deleted malware files
- Reinject spam into the website later
- Maintain unauthorized access
- Hide malicious functions inside plugin-like folders
This is one of the biggest reasons many hacked WordPress sites get reinfected after a partial cleanup.
My WordPress Malware Removal Process
For this website, I followed a manual malware removal process instead of relying only on automated tools.
- Reviewed the file structure I checked the root directory, WordPress core folders, plugin directories, and recently modified files.
-
Analyzed the suspicious root file
I inspected
cloak.phpand confirmed that it was malicious and unrelated to the real website. - Removed the malicious spam file After confirming it was not legitimate, I removed the root-level malware safely.
- Searched for persistence mechanisms I continued the audit and found hidden fake plugins designed to keep the infection alive.
- Removed fake plugins and malicious artifacts I deleted the hidden plugin-based persistence and checked for related suspicious files.
- Inspected the wider WordPress environment A proper cleanup includes checking themes, uploads, plugin folders, unusual PHP files, and other suspicious modifications.
- Hardened the website after cleanup Once the malware was removed, I secured the website to reduce the risk of reinfection.
Key Lessons From This Case
This case highlights several important points for WordPress website owners.
1. A normal-looking homepage does not mean the site is clean
Many infected websites appear normal on the front end while spam files work quietly in the background.
2. Malware can sit in plain sight in the root directory
Not all WordPress malware hides inside plugins or themes. Sometimes it is placed directly inside public_html.
3. Fake plugins are a major warning sign
If attackers use hidden plugins for persistence, deleting one visible malware file is not enough.
4. SEO spam can hurt rankings before the owner notices
Hackers do not always want to break the site. Often, they want to abuse the domain’s authority for search manipulation.
5. Manual review is still essential
Automated scanners can help, but advanced infections often require human investigation and cleanup.
Signs Your WordPress Site May Have Similar Malware
- Strange PHP files in the root directory
- Spam pages showing in Google that are unrelated to your business
- Sudden impressions for casino, gambling, pharma, or adult terms
- Unfamiliar or hidden plugins in
wp-content - Suspicious canonical or hreflang tags
- Search results showing content that does not appear on the live site
- Reinfection after deleting one malware file
If you notice any of these signs, your site may need a full hacked WordPress malware cleanup rather than a quick file deletion.
Results After the Cleanup
After removing the malicious file and hidden fake plugins, the website was in a much better position for security and SEO recovery. The goal was not just to delete malware, but to restore trust in the WordPress environment and prevent the infection from returning.
The cleanup focused on:
- Removing active malicious files
- Eliminating hidden persistence points
- Restoring a cleaner WordPress environment
- Reducing the risk of reinfection
- Preparing the site for SEO monitoring and recovery
Final Thoughts
This case is a strong reminder that WordPress malware is not always loud or obvious. Sometimes the infection is built to stay quiet, look polished, and exploit SEO instead of visibly defacing the website.
In this case, the root-level cloak.php file and the hidden fake plugins showed a deliberate attempt to push spam content from a legitimate WordPress domain. The website owner may not have noticed the problem immediately, but the risk to search visibility, brand trust, and long-term security was very real.
If your WordPress site is showing strange pages in Google, unfamiliar PHP files in public_html, or unknown plugins inside the installation, do not assume it is a minor issue. Infections like this usually go deeper than the first file you find.
Need Help Cleaning a Hacked WordPress Site?
I specialize in WordPress malware removal, SEO spam cleanup, hidden backdoor detection, fake plugin removal, and post-hack hardening. If your website has been hacked, cleaning it properly means finding the source, removing the persistence, and securing the site so it does not get infected again.
Frequently Asked Questions
What is WordPress cloaking malware?
WordPress cloaking malware is malicious code that serves deceptive or spam content, often to search engines or specific visitors, while hiding the problem from the site owner.
Why would hackers add a PHP file in public_html?
Attackers often place malicious PHP files in public_html because those files can be accessed and executed directly from the web.
Can fake plugins reinfect a WordPress site?
Yes. Hidden or fake plugins are commonly used as persistence mechanisms so attackers can restore deleted malware or keep unauthorized access.
Why is my WordPress site showing gambling pages in Google?
That is often a sign of WordPress SEO spam malware. Attackers inject spam pages or manipulate indexing signals so your domain ranks for unrelated search terms.
Is deleting one malware file enough?
Usually not. If the site also contains hidden plugins, backdoors, database injections, or rogue admin access, the infection can return.
Top comments (0)