The call we didn't expect
The client noticed something odd. Google was indexing pages on their website they hadn't created. Pages about casinos. About gambling. About betting sites. Their product pages — cars, as it happened — were being quietly buried under thousands of words of hidden spam content that only search engines could see.
This is a cloaking attack. One of the more insidious forms of WordPress compromise because it's invisible to the site owner and their visitors — but very visible to Google's crawlers.
What we found
A compromised plugin. A dormant backdoor installed months earlier. A PHP file that served entirely different content to Googlebot than to human visitors. Roughly 3,500 words of casino spam injected into pages across the site — invisible in the browser, devastatingly visible in search results.
The domain authority the client had spent years building was being quietly harvested to rank gambling content they had nothing to do with.
The most dangerous attacks are the ones that look like nothing's wrong.
What we did
Immediate: quarantine the affected files, remove the backdoor, audit every plugin for known vulnerabilities. Then: full .htaccess hardening — blocking REST API user enumeration, directory browsing, PHP execution in upload directories. Implement a Web Application Firewall. Set up file integrity monitoring.
The longer fix: a security posture, not just a security patch. Regular audits. Plugin minimisation. User permission reviews. Staged updates, not automatic ones.