The Case of Hidden Spam Pages

Spammy posts and pages being placed on WordPress websites is one of the most common infections that we come across. The reason being is that the attack is very low-level in terms of sophistication: All that is required of the attacker is to brute force their way into the wp-admin panel; from there they just have their scripts/bots post spam posts and pages effectively achieving a blackhat SEO attack. Since an out-of-the-box WordPress website contains no protection on admin access other than a password (with no limit on the number of failed login attempts), and the admin users can often be discovered via enumeration, this remains a very popular type of spam infection on the platform.

This spam attack is so simple and so common that we actually wrote an entire guide on how to effectively remove it. Not all WordPress websites function as blogs, so many admin users don’t even access the posts section of wp-admin at all. For this reason, by the time the spam is discovered the posts/pages can number in the tens or sometimes even hundreds of thousands, making its removal time consuming without the usage of a little SQL command magic.

Normally it’s quite straightforward, but in this particular case we found some spam posts where the attackers went the extra mile to keep their blackhat SEO concealed.

To read the complete article see: https://blog.sucuri.net/2025/06/the-case-of-hidden-spam-pages.html