Some attackers now hide spam content from people — and show it only to search engines. This selective approach targets Googlebot using IP checks, so the malware stays invisible to staff while your reputation and SEO take the hit. Here’s what’s happening and how to protect your WordPress site.

What’s going on

During a clean-up, researchers found code added to a site’s index.php. Instead of always loading WordPress, the script first checks who’s visiting. If it’s a genuine Google crawler, the site serves content pulled from an external domain; if it’s a human, it quietly loads the normal page.

How the attack works (plain English)

• Two-stage verification: The code checks the visitor’s User-Agent (the browser identity string) and then verifies the visitor’s IP address, aiming to prove they are really Google.
• IP range matching with maths: The script contains a long list of Google network ranges (called ASNs) in CIDR format and uses bitwise calculations (including IPv6) to confirm the IP is inside a Google-owned block — far harder to fake than a User-Agent.
• Remote payload: If verification passes, it fetches spam content from a third-party pages domain and prints it directly into the response so Google sees it as your page.
• Fallbacks & logging: The code logs “fake bot” attempts and redirects anything suspicious back to the home page to avoid errors being indexed.

Quick jargon buster

• ASN (Autonomous System Number): An organisation’s official set of internet addresses — Google’s “home address” ranges.
• CIDR: A compact way to note a block of IPs (e.g. 192.168.1.0/24 covers 256 addresses).

Why this matters to your business

• Search reputation: Google may index gambling or scam pages under your domain, risking penalties and lost rankings.
• Brand trust: Prospects searching your name could see spammy results instead of your services.
• Silent damage: Because humans see the normal site, infections can linger, harming conversions and revenue over time.

Warning signs

• Spammy titles/descriptions for your domain in Google results.
• Differences between what you see in a browser and what Google Search Console’s URL Inspection shows.
• Recent edits to core files like index.php or unexpected outbound requests to unfamiliar domains.

Quick checks (safe and fast)

• Search site:yourdomain.com and look for gambling or “marketplace” style pages.
• In Google Search Console, compare the crawled page HTML to your live page.
• Review server logs for requests to unknown domains and for conditional behaviour aimed at bots.

What to do now (calm, practical response)

1. Shield traffic with a WAF: Put a reputable web application firewall in front of WordPress to block malicious requests and cut off the spam feed while you clean.
2. Remove the malware: Back up first. Restore clean versions of index.php and any other modified files from trusted sources. Delete rogue code and files completely.
3. Scan thoroughly: Run server-side scans across core, plugins and themes to find backdoors. Follow with professional malware removal if needed.
4. Reset access: Change WordPress, hosting, SFTP/SSH and database passwords; enable 2FA for all admins.
5. Block egress to bad domains: Add firewall rules to prevent callbacks to attacker infrastructure.
6. Repair SEO: Fix issues flagged in Search Console and request reconsideration if a manual action exists.

Prevention and ongoing protection

• Security monitoring: Enable file-integrity alerts so changes to core files (like index.php) are flagged immediately.
• Managed updates: Keep WordPress core, plugins and themes current as part of routine website maintenance.
• Always-on WAF: Reduce exploit risk with virtual patching and bot mitigation for stronger malware protection.
• Least-privilege access: Limit administrator roles; enforce strong, unique passwords and 2FA.
• Backups & recovery: Maintain tested, off-site backups for fast restoration after malware removal.

How matm can help

• Managed WordPress, plugin & theme updates
• Security monitoring and WAF setup
• Regular backups & fast site recovery
• Malware removal and emergency response

If search results for your brand look wrong — or you suspect cloaking — we’ll investigate, clean and harden your site with clear, business-friendly guidance. Email [email protected] or call 01952 883 526.

Based on research by Sucuri — read the original analysis.