How to use 410 Gone to kill hacked redirect URLs in WordPress

404 Not Found tells Google the URL might come back. Google keeps re-crawling it for months and the spam stays in search results.

301 Redirect to your homepage looks tidy but Google treats it as a soft 404 and may penalise the destination for thin or irrelevant content.

410 Gone is a permanent removal signal. Google drops the URL from the index far faster, usually within one to two crawl cycles.

After the August 2025 UK agency network hack we tested all three on matched samples. 410 cleared the index in 9 to 14 days. 404 was still showing spam after 60 days.

site:yourdomain.com in Google shows pharma, casino, or Japanese SEO spam pages you never created.

Search Console shows a sudden spike in indexed URLs that match patterns like /shop/, /goods/, /?p=12345, or /xmlrpc.php?...

Logged-out users get redirected to a third party domain via a 302; logged-in admins see the site normally.

Sitemap is suddenly ten times larger and full of URLs you do not recognise.

Export the indexed pages report from Search Console and filter by the hacked pattern.

Pull server access logs for the last 30 days and grep for spam slugs and 302 responses.

Run Screaming Frog in list mode against the spam URL list to confirm the current HTTP status of each.

Group URLs into patterns so a few rules cover thousands of URLs.

Apache htaccess: RewriteEngine On then RewriteRule for the hacked path with the G flag, which emits 410 Gone.

Nginx: a location block matching the hacked prefixes that returns 410.

Cloudflare Workers: respond with a 410 Gone Response for matched paths when you do not own the host config.

Verify with curl head request and confirm the 410 Gone status in the response.

Regenerate the sitemap so it contains only legitimate URLs.

In Search Console, submit a Removals request for the top 10 to 50 worst spam URLs to accelerate de-indexing.

Resubmit the clean sitemap. Watch the Pages report; the Not found 410 bucket should grow and the Indexed bucket should shrink to clean URLs only.

An agency we white label for had 11 client sites hit by the same 302 redirect malware. 4,200 spam URLs across the network.

We deployed the 410 ruleset within 90 minutes of access. Logs went from 200 OK on spam URLs to 410 Gone within minutes.

By day 9, Search Console showed 3,100 of 4,200 URLs as Not found 410. By day 14, all 4,200 were gone from site search.

Organic traffic returned to baseline by day 21. No clean URL lost ranking.