Some attacks don’t vandalise your pages. Instead, they quietly turn your website into a mouthpiece for spam — but only when search engines like Google visit. Real people see your normal content; Googlebot sees gambling or fake shopping pages. That’s SEO cloaking, and it can devastate rankings, trust and revenue if not fixed quickly.

What’s going on

Attackers inject a small block of code into your site (for example, appended to a legitimate PHP file). The script checks who’s visiting. If it detects a crawler such as Googlebot, it swaps your page for spam pulled from a remote server. Humans get your real site; search engines index the spam.

In a recent case, spam was fetched from a malicious domain and only served to bots, leaving site owners unaware until search results filled with gambling and “eBay-style” pages.

How it works (plain English)

• Bot detection: The malware looks at the visitor’s “User-Agent” to spot search engine crawlers.
• Remote spam feed: It downloads a text payload stuffed with gambling/affiliate keywords from an attacker-controlled domain.
• Content swap: The spam replaces your normal output and the script stops the real page from loading — for bots only.

Why this matters to your business

• SEO penalties: Cloaking violates search guidelines. You risk manual actions or blocklisting, and organic traffic can drop overnight.
• Brand damage: Customers searching for you see casino or scam results, not your services.
• Hidden risk: Because the website looks fine to staff, the problem often persists and worsens.

Warning signs

• Google results for your brand show gambling, “toto/slot” or fake marketplace pages.
• Discrepancies between what you see in a browser and what appears in search.
• Unfamiliar code added to otherwise normal files (e.g., extra PHP at the bottom of a handler or controller file).
• Outbound requests from your server to unknown domains.

Quick checks (safe and fast)

• Search your domain: Run site:yourdomain.com and look for spammy titles/descriptions.
• Use URL Inspection: In Google Search Console, compare the “Crawled page” HTML to what you see in your browser.
• Check server logs: Look for requests to strange domains or scripts that run only for crawlers.

What to do now (calm, practical response)

1. Shield traffic with a WAF: Put a reputable web application firewall in front of WordPress to block known bad requests and stop the spam feed while you clean.
2. Remove the malware: Back up first. Find and delete injected code appended to legitimate files; restore clean versions from backups or the vendor. Avoid leaving “just a snippet” behind.
3. Scan thoroughly: Run a server-side scan across core, plugins and themes to uncover other backdoors. Follow with professional malware removal if needed.
4. Rotate access: Change WordPress, hosting, SFTP/SSH and database passwords; enable 2FA for all admins.
5. Block egress: Add firewall rules to block calls to malicious domains/IPs seen in logs.
6. Request reconsideration: Once clean, fix any issues flagged in Search Console and request review if a manual action was applied.

Prevention and ongoing protection

• Website maintenance: Keep WordPress core, plugins and themes updated with managed updates to reduce exploit risk.
• Security monitoring: Enable file integrity and behaviour-based security monitoring to catch unexpected changes quickly.
• WAF always on: A web application firewall adds virtual patching, bot mitigation and helps enforce clean responses — a strong layer of malware protection.
• Principle of least privilege: Limit admin accounts, use unique passwords and enforce 2FA.
• Backups & recovery: Maintain tested, off-site backups for rapid restoration after malware removal.

How matm can help

• Managed WordPress, plugin & theme updates
• Security monitoring and WAF setup
• Regular backups & fast site recovery
• Malware removal and emergency response

If search results for your brand look wrong — or you suspect cloaking — we’ll investigate, clean and harden your site with clear, business-friendly guidance. Email [email protected] or call 01952 883 526.

Based on research by Sucuri — read the original analysis.