To speed up spam de-indexation, you can test the following .htaccess script. This way, you will discourage search engines from crawling the website unnecessarily.
RewriteEngine On RewriteCond %{QUERY_STRING} ^i= RewriteRule ^ - [G,L]
Assuming you don’t have any active “channel” strings inside the legitimate slugs, this may work also:
RewriteEngine On RewriteCond %{REQUEST_URI} channel [NC] RewriteRule ^ - [G,L]
Monitor the website for a couple of days & check the index.php file integrity.
This website is infected with malware (japanese keyword hack, seo spam), and there are approximately 224.000 malicious search results. Google, Bing, and other search bots will crawl the website, generating a high server load.
When I address a SEO spam issue, I ensure that
The website is clean; and
A custom .htaccess rule is enabled to discourage Google from crawling the spam pages.
In this case, I see a common element in URLs: it’s the “shopdetail” string. A custom .htaccess rule to prevent further indexing is needed, you can use cPanel File Manager to edit the file.
RewriteEngine On RewriteCond %{REQUEST_URI} shopdetail [NC] RewriteRule ^ - [G,L]
Conclusion: show fast 410 (Gone) error page for each spam Google result, don’t rely on 404s & make sure the website is clean.
You need to check the raw access logs & see how the injection occurs. It’s possible to block the malicious payment attempts using a function.php code. I can’t believe this type of attack is still happening today.
/** disable wc_endpoint to stop carding attacks **/ function disable_wc_endpoint() { $current_url = $_SERVER['REQUEST_URI']; if (strpos($current_url, '/wp-json/wc/store/checkout') !== false) { wp_redirect(home_url('/404.php')); exit; } } add_action('rest_api_init', 'disable_wc_endpoint');
or the following
/** disable wc_endpoint to stop carding attacks **/ function disable_wc_endpoint_v1() { $current_url = $_SERVER['REQUEST_URI']; if (strpos($current_url, '/wp-json/wc/store/v1/checkout') !== false) { wp_redirect(home_url('/404.php')); exit; } } add_action('rest_api_init', 'disable_wc_endpoint_v1');
It depends on how the POST requests are made. Based on the logs, you may adjust the code.
Hello, I recently fixed a server with the same issue & wrote about it. Most likely, the server setup is not properly configured. If the “chosen.php” file keeps coming back, the attackers may’ve triggered PHP scripts in the background.
Before anything else, I recommend you to follow these steps:
Disable each website by renaming public_html folder and, if malware returns under the empty public_html folder, suspend the accounts
Check the Security Advisor under WHM, see if you have control there. It’s important to switch to mod_ruid2, and disable the shell access for each user
Keep only PHP ver. 7.4 and PHP 8.1 and make sure the following PHP functions are disabled proc_open, exec, shell_exec, system, passthru, popen
Change the cPanel password for each account & disable the FTP accounts
I think it’s important to take things back under control, until the malicious activity will stop. Then, gradually, you can perform cleanup for each website.
@habibjh after all, I think it may be a conflict also with the “Colibri WP” theme, since if I change the theme & keep both plugins active, the search form works. If you need further information, let me know.
Hi @habibjh, thank you for your reply. Sure, it’s the search icon in the header area. If I search for a term, I’m being redirected to /? and nothing happens.
If I disable the “The Post Grid” plugin, the search form works & I’m redirected to /?s=
Thank you for your response. That’s correct! We’re using the checkout shortcode. And we’re using a plugin to allow the selection between individual & company. When “company” is selected, the company name is mandatory.
However, after the customer fills in the company details, the billing company field will remain empty in the order confirmation and order details – the data is not passed from “billing_company” to “shipping_company”.
Hi @wfpeter , thanks for the detailed response. I followed your advice & checked the “Additional scan signatures” but the section was empty, so I restored the settings to the default values. The problem is now solved since there are no more false-positives listed – much better. Thank you!
I just checked your website myself, and there’s no trace of any Javascript resources loaded from the mygeomanager[.]org domain.
Ask Google Ads support for a manual review & provide them proof the website is clean – either hire a professional to do it or you may provide screenshots from the Google search console, Sucuri Sitecheck & Virus Total.
If the second review is unsuccessful, you may need another thorough website cleanup.
This process requires patience, it may take a professional up to 3 to 5 business days to clear a “compromised site” Google Ads warning. Good luck & if you have further questions reply here.
Do you still have sFTP or FTP access? If you do navigate to the wp-content folder & rename the plugins folder & try to log in using the wp-admin or wp-login.php URL.
If you don’t have file access, try and recover the credentials from the web hosting company.
