We’re seeing a crafty SEO-spam tactic against WordPress sites: attackers create shadow directories that mimic your page URLs (permalinks) to show spam to search engines while regular visitors see your normal content. It’s subtle, damages SEO and trust, and can be missed by routine checks.

What’s going on

WordPress uses permalinks – readable URLs like /about-us/ – and routes them through WordPress to display your page. Some web servers (e.g. Apache/Nginx) will serve a real folder on disk before handing off to WordPress.

Attackers abuse this by creating folders that match your permalinks, for example /about-us/. Inside each folder they place:

• index.php – a gatekeeper script that decides what to show.
• indexx.php – a static copy of your real page to fool humans.
• readme.txt – a full spam page (HTML/JS) served to crawlers.

Result: Googlebot and similar see casino/pharma spam, while you and your customers see the real page. This is called cloaking and it harms rankings and reputation.

Why it matters to your business

• SEO & visibility: Spammy snippets and structured data can trigger search penalties and lost traffic.
• Brand trust: Customers searching your name may see gambling content instead of your pages.
• Revenue & conversions: Fewer qualified visits means fewer enquiries and sales.
• Compliance & risk: Hidden malware increases liability and recovery costs.

Warning signs

• Google search results show casino/pharma text for pages like About, Contact, Privacy.
• A mismatch between what search engines see and what you see (use Search Console’s URL Inspection “View crawled page”).
• On the server, unexpected folders matching page slugs: /about-us/, /contact/ etc.
• Those folders contain index.php, indexx.php and readme.txt.

How the attack works (plain English)

Web servers prefer serving a real folder over handing the request to WordPress. The attacker’s index.php checks the visitor’s identity (User-Agent). If it looks like Google, it prints the spam from readme.txt — often with fake product Schema (JSON-LD) to dress it up. If it looks like a human, it shows the clean-looking indexx.php copy of your page. WordPress never gets involved, so the database and editor look fine.

Prevention and resolution

1. Confirm the issue: Check suspicious pages in Search Console or fetch with a crawler view. Compare with a normal browser view.
2. Remove shadow folders: In your web root, delete any directories that mirror WordPress permalinks (after taking a backup).
3. Verify core files: Ensure index.php at the site root and .htaccess/web.config match known-good versions.
4. Harden access: Reset all admin, hosting, SFTP and database passwords; enable 2FA; remove unknown admin users.
5. Update everything: Apply managed updates for WordPress core, plugins and themes to reduce future risk.
6. Add protection: Place the site behind a web application firewall (WAF) for virtual patching, bot filtering and malware protection.
7. Security monitoring: Enable integrity scanning,