If your website suddenly starts showing product links, pages or search results that have nothing to do with your business, it may not be a content mistake. It could be malware.

That is exactly what Sucuri recently investigated on a compromised Joomla website. The site owner had not added the suspicious listings, but visitors and search engines were being shown spam content anyway. It is a reminder that website malware does not always announce itself with a broken homepage. Sometimes it works quietly in the background, damaging search visibility, trust and conversions before anyone notices.

What’s going on

In this case, attackers had inserted hidden PHP code at the top of the site’s index.php file. PHP is the server-side code that helps power content management systems such as Joomla and WordPress.

The malicious code acted like a remote loader. In simple terms, that means it did not contain all the spam itself. Instead, it contacted attacker-controlled servers, pulled back instructions, and then decided what to show.

That gave the attackers flexibility to:

• inject SEO spam pages and links
• redirect visitors to other websites
• serve different content to search engines and real users
• change behaviour at any time without reinfecting the site

This kind of setup is especially harmful because it can stay hidden for longer. A site may appear normal to the owner while search engines or visitors are seeing something very different.

Why this matters to business owners

SEO spam is not just a technical nuisance. It can have a direct commercial impact.

• Search visibility suffers: spam pages can dilute your rankings or trigger search engine penalties.
• Trust is damaged: visitors who land on suspicious content may assume your business is unsafe.
• Leads and sales can drop: hijacked traffic means fewer genuine enquiries and conversions.
• Brand reputation takes a hit: your website may appear to endorse products or services you have never offered.
• Recovery takes time: cleaning up malware, restoring rankings and rebuilding confidence can be far more costly than preventing the issue.

Although this case involved Joomla, the lesson is broader. The same principles apply to WordPress security, malware protection and website maintenance across most CMS platforms.

How the malware worked

Sucuri found that the code was heavily obfuscated. That means it was intentionally scrambled to make detection harder.

Rather than storing obvious malicious instructions in one place, the attacker broke the code into tiny chunks and rebuilt it when the file ran. This helps malware slip past basic scanners that only look for familiar patterns.

Once active, the script contacted external domains to receive instructions. From there, it could work in a few different ways:

• Redirect mode: send visitors somewhere else without warning
• Injection mode: place spam content directly into pages
• Cloaking mode: show fake SEO content or sitemaps to search engines while hiding it from the site owner

That last point is particularly important. Cloaking means different visitors see different content. It is one reason malware can quietly undermine search performance for weeks or months.

Warning signs to look out for

Problems like this are often spotted indirectly. You may not see the malware itself, but you may notice unusual symptoms.

• unrelated product or service pages appearing in search results
• strange links showing up on your website
• unexpected redirects to third-party websites
• sudden drops in traffic, rankings or enquiries
• security alerts from your host or Google
• changes to core files that nobody in your team made

If your website behaves differently for visitors than it does for you, that is a strong sign you need a full malware review.

How the issue was resolved

According to Sucuri, the immediate fix was to remove the malicious code from the compromised file and check the rest of the server for any additional backdoors.

The site owner was also advised to reset administrator credentials and carry out a wider file integrity review. That matters because malware removal is not just about deleting one bad snippet. You also need to make sure the attacker cannot get back in the same way.

Prevention and resolution

The best protection is a mix of good housekeeping, layered defences and ongoing monitoring.

1. Keep your CMS, plugins and themes updated. Outdated software remains one of the most common routes into compromised sites. Managed updates reduce that risk significantly.
2. Use strong admin security. Unique passwords, limited access and two-factor authentication make opportunistic attacks harder.
3. Remove anything unused. Old extensions, abandoned plugins and unnecessary themes increase your attack surface.
4. Add a WAF. A web application firewall helps filter malicious traffic before it reaches your website.
5. Monitor core files and behaviour. Security monitoring can highlight suspicious changes before they become a bigger problem.
6. Keep reliable backups. Fast recovery depends on having clean, recent backups available.
7. Act quickly on warning signs. The sooner malware removal starts, the less chance there is of lasting SEO and reputational damage.

Why ongoing website maintenance matters

Many business owners only discover a security problem once rankings fall or customers report something odd. By then, the damage may already be done.

Regular website maintenance helps close that gap. It keeps software current, reduces vulnerability exposure and makes it easier to spot changes that should not be there. Combined with malware protection, a WAF and security monitoring, it creates a much stronger line of defence.

For WordPress security in particular, this approach is essential. WordPress sites are frequent targets because of their popularity, and the same basic weaknesses apply: outdated plugins, weak access controls and missing monitoring.

How matm can help

If your website is showing suspicious content, redirecting visitors, or losing visibility for no obvious reason, it is worth investigating quickly.

• Managed WordPress, plugin & theme updates
• Security monitoring and WAF setup
• Regular backups and fast site recovery
• Malware removal and emergency response

Need help securing your website or recovering from an infection? Contact matm at [email protected] or call 01952 883 526.

Based on research by Sucuri.