WordPress glossary

robots.txt Hijack

A compromise that rewrites robots.txt to block legitimate crawlers or allow attacker paths Google should never see.

Last updated 27 June 2026 · Reviewed by Ali Yasin Jatoi

A hijacked robots.txt typically adds Disallow rules that cut off Google from your real content, or adds Allow rules exposing /wp-admin/, /staging/, or attacker drop folders. Always serve robots.txt from a real file or a controlled route, never from a plugin setting an attacker can edit through the database. Diff against your known-good copy after any suspected compromise.

Related terms

410 Gone
An HTTP status code that tells Google a URL is permanently removed and should be dropped from the index faster than a 404.
Google Search Console
Google's free tool that shows which keywords drive clicks to your site, plus indexing and Core Web Vitals data.
302 Redirect Hack
A compromise where injected code 302-redirects search traffic to affiliate or scam URLs while showing the real site to direct visitors.

When this comes up in the wild

robots.txt hijackedIncident playbook
WordPress 302 redirect hack (410-Gone fix)Incident playbook

Need this fixed, not just defined?

We have shipped hundreds of fixes for exactly this kind of issue. Book a 20 minute call and we will tell you straight whether it is a quick fix or a bigger root cause.

Book a 20 minute call +92 346 600 8404

302 Redirect Hack C2 Server (Command and Control)

Call Book a call