WordPress problem fix
Thousands of spam URLs in your Coverage report means either a hack or open URL parameters. We diagnose which and clean it.
If Search Console suddenly shows thousands of pages indexed that you did not create, two things are likely. Either the site was hacked and pages were injected (often in Japanese, Korean, or pharmaceutical themes), or open URL parameters are letting Google index infinite combinations of filters and search results. The fix depends on which one. For injected pages: full malware cleanup, remove the injected URLs, request removal in Search Console. For parameter spam: noindex search pages, canonical filter URLs to the parent, block infinite combinations in robots.txt. Both clear within weeks.
If any of these match, you are on the right page.
Coverage shows thousands of indexed pages you do not recognise
Sample URLs in Japanese, Korean, or about pharmaceuticals
Pages like yoursite.com/?s=keyword indexed in bulk
Manual action warning or security issues flagged in Search Console
If sample URLs are in a foreign language, about pharma, gambling, or fake replicas, almost certainly yes. The site is compromised and pages are being injected and submitted to Google through a hidden sitemap or hacked feeds.
Yes, if the URLs look like search results, filters, or pagination combinations. Open URL parameters let Google index infinite versions of the same page.
If it is a hack, yes, a Manual Action is likely. If it is configuration, no penalty but ranking suffers because crawl budget is wasted.
The real method, in the order it works.
Sample 10 of the unknown URLs and open them to confirm whether they exist on the site.
If pages are hostile (pharma, fake brands, language not yours), treat as hack: malware cleanup, file audit, backdoor removal.
If pages are parameter URLs, add noindex to search results template, canonical filters to parent, block in robots.txt.
Use Search Console URL removal for high impact spam URLs while cleanup runs.
Submit a Reconsideration Request if a Manual Action was issued, only after the site is verifiably clean.
Real fix, from our work
A client site suddenly had 14,000 Japanese pharma pages indexed in Search Console. They had no idea. The site was hacked through an outdated SEO plugin and a script was injecting pages plus a hidden sitemap. I cleaned the malware, removed the injected URLs, deleted the malicious sitemap, rotated every credential, then submitted URL removals for the worst 50 URLs and a Reconsideration Request. The Manual Action was cleared in 11 days. The 14,000 spam URLs dropped to under 200 in three weeks and to zero by week six.
Written by Ali Yasin Jatoi
Founder of WebCare Studios. Ali has worked with WordPress for more than 10 years, including managing a fleet of 150+ sites with WP-CLI automation for updates, security cleanup, and malware removal. He has hands on experience across major hosts including Cloudways, A2 Hosting, Hostinger, and Bluehost.
Site down, hacked, or broken checkout gets a senior engineer within 4 hours. No ticket queues, no bots.
Flat quote up front. If we cannot get you back online, you do not pay. Risk sits with us, not you.
We work on a snapshot first and never touch your live database until the fix is verified safe.
We run a fleet of WordPress sites every day. The errors you are seeing are ones we have closed hundreds of times.
Not enough on its own. robots.txt blocks future crawling but already indexed URLs stay until Google rechecks. Use noindex via meta or X-Robots, plus URL removal for the worst offenders.
Briefly possible during cleanup, but real pages recover and usually improve once crawl budget is no longer wasted on spam URLs.
Crawl frequency drives the timeline. Most spam URLs drop within 4 to 8 weeks. URL removal requests speed up the worst examples.
Two fields. Email and your URL. A senior WordPress engineer reads it within minutes and replies on email and WhatsApp with what is wrong and what we will do next.