Something strange started happening on my website. I began seeing countless unknown links, like fuadalazad.com/98765432.html appearing in Google Search Console. They had nothing to do with my site. Even worse, they were getting clicks and impressions.
These were fake 404 pages that appeared out of nowhere and were silently flooding my site. At first, I had no idea what was going on. But after digging deeper, I realized my site was under a hidden SEO spam injection attack.
These fake pages weren’t visible on my backend dashboard, but Google was crawling and indexing them. And the result? My actual content was being pushed down, and my SEO rankings began to decline. I was losing control of my website.
I believe that most of you reading this post, especially newcomers, have faced or are currently struggling with this issue. After a series of various approaches, I have been able to resolve the problem and remove over seventeen thousand 404 pages from my site.
I will share with you my entire journey on how to remove 404 spammy URLs and recover the website. Keep reading it to the end!
How I Spotted My Site Was Infected with SEO Spam and Fake 404 Pages
I didn’t know my site was under attack until I started noticing some strange things happening. Everything looked fine from the outside, but deep inside, spam was slowly taking over. It all started when I found unusual links and unknown pages related to my website. Here’s how I figured it out.
Method 01: Searching with site:fuadalazad.com
I opened Google and searched site:fuadalazad.com to check which pages of my site were indexed. To my surprise, I saw many strange-looking URLs that I had never created. Some looked like this:
fuadalazad.com/83937475.htmlfuadalazad.com/product/edit/XYZ12345
Many of them were written in foreign languages or had product names I never listed. But when I clicked them, they showed 404 error pages. This made it clear that someone had created fake URLs that were getting indexed on Google using my domain. It was the first strong sign that something was seriously wrong.
Method 02: Checking Google Search Console
After that, I opened my Google Search Console to see how my site was performing. I went to the “Performance” section and noticed lots of weird queries getting impressions. These were not related to any content I had published.
Along with those queries, I also saw unknown page URLs showing up, none of which I recognized. This confirmed that spam links were not only being created but also getting visibility on search results.
The search engine thought they were part of my site, even though they were fake and harmful. Learn why Google may not show your website on search engine result pages.
How I Started Fixing the SEO Spam Injection and Removing Fake 404 Pages on My Site
After figuring out that my website was under an SEO spam attack, I knew I had to act quickly. In this section, I will outline the specific steps I took to clean up my WordPress site from the SEO spam injection, remove 404 pages, and prevent the issue from spreading further.
Step 01: Identify the Patterns in the Fake URLs
I first made a list of all the fake and spammy URL patterns that kept showing up. Many of them followed a similar structure. For example:
/*.html/zhHant/product/surugaya/*/search?*/wp-content/*/product/*/feed/*/blog/page*/2024/*,/2025/*, etc.
These fake URLs gave me a clue about how the attackers injected content. Most of them didn’t exist on my site and were showing 404 errors.
Step 2: Blocked Spam URL Patterns in robots.txt
Once I identified a pattern in the fake URLs, like /product-category/, /shop/page/, or strange strings like /es/producto/—I decided to block search engine crawlers from accessing them.
To do this, I edited my site’s robots.txt file and added the following lines:
User-agent: *
Disallow: /product-category/
Disallow: /shop/page/
Disallow: /es/
Disallow: /fr/
This told Google and other search bots not to crawl any URLs that start with those paths. It’s a quick way to stop further indexation of spam URLs. While this doesn’t remove them from search results instantly, it helps Google understand that you don’t want these pages crawled anymore.
Note: The URLs were still returning 404, but blocking them in robots.txt made sure they were not crawled again during the cleanup.
Step 03: Checked for Backdoors or Infected Files
I scanned my WordPress site with security plugins and file integrity checkers to make sure no core files or themes/plugins were injected with malicious code. I also looked through the functions.php file, header.php, and footer.php to see if there were any unknown scripts.
What I did:
- Used Wordfence to scan my entire site to check if there is any malware
- Manually checked important files in
/wp-content/themes/and/wp-content/plugins/.
I found lots of infected files. Below, I have attached a YouTube video that you can follow to scan malware on your website using the Wordfence plugin.
Get the Wordfence plugin by clicking the buttons attached below.
Step 4: Updated All Plugins, Themes & WordPress Core
Attackers often use outdated plugins or themes to inject spam. So, I updated everything immediately:
- WordPress core
- All plugins
- The active theme and other unused themes
Also, I deleted all inactive and unnecessary plugins/themes.
Step 5: Hardened Security Using “All In One WP Security” Plugin
Unless you have a security plugin installed on your site, you are always leaving a door open so hackers can get into it and inject malicious code on your site. So, to harden the security of my site, I have installed the All In One WP Security (AIOS) plugin.
Since I already had the premium version of the All In One WP Security (AIOS) plugin, I used its firewall and bot protection features.
Here’re what I did:
- Firewall Rules: I turned on the Basic, Intermediate, and Advanced rules.
- Blocked Fake Googlebots: Enabled the option to block bots pretending to be Googlebot.
- Blocked Blank User Agents & Referrers: Stopped bots that don’t have a valid user agent or referrer header.
- Set up Internet Bot Control to filter out suspicious traffic.
- Enabled IP or User Agent Blacklisting for known suspicious patterns (optional but useful).
Note: All in One WP Security is a comprehensive plugin that can save your site from future malware attacks. Below, I have attached a video you can follow to configure the plugin on your site.
Get the All-In-One WP Security Plugin by clicking the buttons attached below.
Step 6: Added Rewrite Rules in .htaccess to Block Spam URLs
I edited my .htaccess file to manually block the fake URLs using mod_rewrite rules. This helped prevent these fake pages from showing 404 errors again and reduced their chances of being crawled or indexed by Google.
RewriteCond %{REQUEST_URI} .html$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/zhHant/product/surugaya/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/pcmypage [NC,OR]
RewriteCond %{REQUEST_URI} ^/hobby/boardgame/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/feature/honten/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/search [NC,OR]
RewriteCond %{REQUEST_URI} ^/safe_search/config [NC,OR]
RewriteCond %{REQUEST_URI} ^/2024/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/2025/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/blog/page [NC,OR]
RewriteCond %{REQUEST_URI} ^/detail.php [NC,OR]
RewriteCond %{REQUEST_URI} ^/class/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-content/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/feed/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/cargo/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/product/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/toiwase/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/text/ [NC]
RewriteRule ^(.*)$ - [F,L]
These lines block access to the fake URLs directly at the server level before WordPress even loads.
Step 7: Resubmitted Cleaned URLs in Google Search Console
After blocking and cleaning the spammy pages, I used Google Search Console to help remove the fake URLs from Google’s index.
- Went to Removals → Temporary Removals
- Submitted spam URLs for removal from search results
- Also requested reindexing for important, valid pages that were affected
Step 8: Cleared My Old Sitemap and Submitted a Fresh One
After removing the spammy URLs and blocking them through .htaccess, I realized that my old sitemap might still contain some of the fake or outdated pages. If I didn’t fix that, Google might keep crawling or indexing those bad URLs again.
So, I took the following actions:
- Regenerated a new sitemap using my SEO plugin (I use Rank Math)
- Checked the sitemap manually to make sure no weird URLs were listed
- Deleted the old sitemap from Google Search Console
- Submitted the fresh sitemap to Google for re-crawling
This helped Google understand which pages are valid and which are no longer accessible. It also helped in improving crawl efficiency and removing junk URLs from the index faster.
Step 9: Continued Monitoring of the Site Regularly
Even after all the fixes, I kept a close eye on:
- Google Search Console performance reports
- Security plugin logs
- New fake URL patterns (if any)
- Sudden traffic spikes to unknown URLs
This helped me make sure no new injection or spammy pages were appearing again.
Thus, I have been able to overcome the issue of fixing thousands of fake 404 pages and SEO spam injection.
How Long Google Took to Remove the Fake 404 Pages from Search Results
When I discovered that my website was infected with SEO spam and fake 404 pages, I didn’t have any clear idea about how to fix it. So, I didn’t apply all the fixes at once. I followed a step-by-step approach. After each step, I waited patiently to see if there was any improvement.
In this section, I will explain what actions I took, how much time I waited after each fix, and which one finally brought me the real result.
Step 1: Updated Robots.txt File (Waited 2 Months – No Result)
Once I identified patterns in the fake URLs, I updated my robots.txt file to block those spammy links. After doing this, I saw that Google started removing some of the fake URLs from its search index. However, the removal was very slow.
Even after two months, many fake pages were still visible in the search results. On top of that, new fake 404 pages were being created continuously. So, this method helped a little but didn’t solve the problem completely.
Step 2: Removed Malware from the Site (Waited 2/3 Weeks – No Good Result)
Next, I scanned my site for malware and removed any suspicious files and code. This gave me some quick improvements, and I noticed better cleanup from Google. But still, new fake URLs kept appearing.
This step was important for improving site health, but it couldn’t stop the root cause of the spam injection.
Step 3: Installed All In One WP Security Plugin (1 Week – No Good Result)
I then installed the All-In-One WP Security plugin to strengthen my website’s overall security. It helped me block some unwanted access and monitor file changes. But sadly, this step didn’t stop the fake page creation either.
After a week of testing, I found no major improvement in how Google handled the issue.
Step 4: Blocked Fake URLs via .htaccess (Waited 3 Weeks – It Finally Worked)
Finally, I decided to take a stronger step. I edited my .htaccess file and added 403 forbidden rules to block access to all the spammy URL patterns I had detected. This was the most effective step in the entire process.
Surprisingly, within just 2 to 3 weeks, almost all fake 404 pages were removed from Google search results. Also, the new spam URLs stopped being indexed. For the first time, I saw stable, consistent progress. The issue started going away completely.
Final Words – What I Learned from This Journey!
This whole journey of dealing with SEO spam injection and fake 404 pages was a big learning experience for me. At first, I didn’t even know my site had a problem. But once I discovered it, I realized how harmful these fake pages could be for my SEO and website trust.
I learned that just removing malware or blocking some URLs robots.txt is not enough. These methods helped a little, but the spam problem kept coming back. What really worked was combining all the steps and especially using the .htaccess file to block the spammy URLs directly with 403 forbidden rules. That was the game changer.
I also understood that fixing SEO spam is not something that gives results overnight. You have to be patient, observe how Google reacts, and improve your actions step by step. Now, my site is clean, and the fake 404 pages are no longer showing up in search results. I feel more confident and better prepared to handle such issues in the future.
If your WordPress site is ever infected with SEO spam, I hope my experience will help you fix it faster and smarter.
