Executive Summary
This case study explores a critical SEO crisis involving a chiropractor & wellness website that experienced a sudden decline in search rankings and overall site authority.
Despite a consistent backlink profile, the site’s performance plummeted due to a sophisticated “URL injection” attack.
This attack utilized a spammy script to generate millions of non-existent pages, bloating the crawl budget and confusing search engine algorithms.
The following report details how we identified the breach, the specific technical indicators found—including exploited admin-ajax.php calls—and the multi-layered recovery strategy implemented to restore the site’s integrity and ranking potential.
The Problem: High Backlinks, Low Authority, and Thousands of Ghost Pages
The client approached us with a frustrating paradox: they were investing in SEO and earning quality backlinks, yet their Domain Authority (DA) remained stagnant, and keyword rankings were slipping.
Upon initial audit, the core issue was hidden within the “Crawled – Currently Not Indexed” report in Google Search Console.
While the site had only a few hundred legitimate content pages, Google was attempting to crawl thousands of phantom URLs.
This phenomenon, known as SEO Spam Injection, was effectively “diluting” the site’s authority.
Technical Red Flags
The most alarming discovery was the presence of thousands of URLs appearing in search logs with the following patterns:
- Dynamic Parameter Bloat: Thousands of URLs followed by
?action=wp_statistics_custom_event&nonce=.... - Directory Injection: Ghost directories like
/pw/contents/renga/appearing in crawl requests. - Query String Spam: Random strings such as
?_g=1569839attached to the root domain.
The Diagnosis: Anatomy of a Spam Script Attack
In this case, the attacker had exploited a vulnerability in the site’s CMS to insert a malicious script.
This script did not “create” physical files on the server in the traditional sense; instead, it used dynamic routing to tell Google that these thousands of random URLs existed.
How the Attack Sabotaged SEO
- Crawl Budget Exhaustion: Googlebot spends a limited amount of time on any given site. By forcing it to crawl millions of “ghost” pages, the bot never reached the client’s high-value wellness articles.
- Authority Dilution: Because the spam URLs often linked to external “bad neighborhoods” (illegal pharmacies, gambling, etc.), the site’s “trust score” with search engines plummeted.
- Indexing Deadlocks: Legitimate new content, such as the client’s articles on “Misconceptions about Fasting,” remained in the “Crawled – Currently Not Indexed” state because Google was overwhelmed by the sheer volume of spam.
The Technical Evidence: Analyzing the Crawl Data
Our analysis of the Search Console data revealed a consistent pattern of automated scripts triggering internal WordPress functions.
- Targeted URL:
https://[client's domain].com/wp-admin/admin-ajax.php?action=wp_statistics_custom_event&nonce=a1c5bd9c38 - Observation: The frequency of these crawls (daily hits on unique nonces) suggested that an automated bot was attempting to exploit the
admin-ajax.phphandler to trigger server-side events or simply to keep the spam pages “alive” in Google’s memory. - Secondary Bloat: We found legitimate feed URLs (e.g.,
/feed/) being hit excessively, indicating the bot was scraping the site’s RSS to find more entry points for injection.
Step-by-Step Recovery Strategy
To fix this, we moved beyond simple “removal requests” and targeted the root cause.
Phase 1: Server-Level Cleaning
Malware Extraction: We performed a high-sensitivity scan of the /wp-content/ and root directories. We identified and removed a “backdoor” script hidden in an outdated plugin.
Core File Integrity: We replaced the index.php and .htaccess files with clean, default versions to ensure no malicious redirect rules were left behind.
Database Sanitization: We searched the database for unauthorized administrator accounts and malicious code injections within the wp_options table.
Phase 2: Signalling Permanent Removal (The 410 Gone Protocol)
Simply deleting the pages or using 404 errors is insufficient for an attack of this scale. A 404 tells Google, “I can’t find this right now.” A 410 Gone status tells Google, “This is deleted permanently; stop coming back.”
- Regex Pattern Matching: We implemented a rule in the
.htaccessfile to automatically serve a 410 status for any URL containing the spam patterns (e.g.,?_g=or/renga/). - Robots.txt Hardening: We updated the
robots.txtto explicitly disallow thewp-admindirectory while maintaining access for necessary AJAX functions:Disallow: /wp-admin/Allow: /wp-admin/admin-ajax.php
Phase 3: Crawl Budget Reclamation
To redirect Googlebot’s attention back to legitimate content, we:
- Updated XML Sitemaps: Removed all traces of feed URLs and non-essential pages, leaving only high-value content.
- Pinged Google Search Console: Once the 410 errors were active, we requested a validation of the “Crawled – Currently Not Indexed” status to force Google to recognize the removals.
Results and Lessons Learned
Within 45 days of implementing the “410 Gone protocol” and cleaning the server:
- Ghost URL Volume: Reduced from 300,000 detected URLs to under 1000.
- Indexing Rate: Legitimate articles that were previously stuck in “Not Indexed” moved to the “Indexed” status.
- Ranking Recovery: The site’s primary keywords for chiropractic & wellness and metabolic health returned to the first three pages of SERPs.
Key Takeaways for Website & Business Owners
Backlinks aren’t everything: Even a strong backlink profile cannot overcome a site that Google views as a “spam factory.”
Monitor your Crawl Reports: If you see a spike in “Crawled – Currently Not Indexed” pages that you didn’t create, you are likely under a URL injection attack.
Security is SEO: Outdated plugins are the most common entry point for these scripts. Regular maintenance is a ranking factor.
Conclusion
The “Ghost URL” injection is a silent killer of website authority. By shifting the strategy from simple page removals to server-level cleaning and aggressive 410 Gone signalling, we were able to restore the client’s digital reputation.
At Top SEO PH, we emphasize that SEO is not just about building new links; it is about protecting the integrity of the links you already have.
Need an Audit? If your site is experiencing high crawl numbers but low rankings, you may have a hidden spam script.
Contact us for a comprehensive technical SEO audit.
Chat on WhatsApp
Leave a Reply