WordPress problem fix
A 301 redirect tells Google the spam URL still exists somewhere. A 410-Gone tells Google it is dead. That is the difference between a 6-week cleanup and a 6-month one.
If your WordPress site is throwing 302 redirects to gambling, pharma, or replica-watch URLs, and the spam URLs keep showing up in Search Console even after you remove the malware, the redirect status code is the problem. Most cleanup guides tell you to 301 the spam URLs back to your homepage. That is wrong. A 301 tells Google the URL has moved permanently somewhere else — Google then crawls it again next week to see where. A 410-Gone tells Google the URL is permanently dead, never coming back, drop it from the index. We use 410-Gone for every injected URL after a hack. On the August 2025 UK agency network hack we cleared 8,000+ injected URLs across 30+ sites this way; most dropped from Google within 4 to 8 weeks instead of the 6+ months a 301 strategy would have taken.
If any of these match, you are on the right page.
Search Console shows hundreds or thousands of URLs you never created
Clicking the URLs redirects through 302 to gambling, pharma, replica goods, or adult sites
You removed the malware but the spam URLs keep reappearing in coverage reports
Your real pages are getting outranked by your own injected spam URLs
Bing or Yandex still show the spam even after Google cleared it
A 302 is a temporary redirect, so Google keeps the original URL in its index and keeps crawling it to see if anything changes. That is exactly what the attacker wants — the injected URL stays indexed, keeps passing equity to the spam destination, and keeps earning the attacker money. A 301 would deindex the URL faster, which the attacker does not want.
Two reasons. First, the attacker usually leaves a persistence mechanism (a hidden admin user, an mu-plugin, a trojanized core file) that re-injects the redirect rules within days. Second, even after the malware is gone, the spam URLs sit in Google's index for weeks. Every time Google re-crawls them and gets a 200 or a 301, Google keeps them. Only a 410 forces a deindex.
Robots.txt blocks crawling, not indexing. Google can still keep a blocked URL in the index for months, showing the snippet 'no information available' under your domain. That looks worse than the spam. 410-Gone is the only signal that removes the URL from the index entirely.
A 404 says 'not found right now, maybe try again later'. A 410 says 'gone, permanently, do not come back'. Google deindexes 410s roughly twice as fast as 404s. For hacked-URL cleanup, always use 410.
The real method, in the order it works.
Confirm the persistence mechanism is dead first. If you still have a backdoor user, mu-plugin malware, or trojanized wp-blog-header.php, the redirects will return within hours. Clean the backdoor before you touch redirects.
Export the full injected-URL list from Search Console (Coverage → Crawled-not-indexed + Indexed → filter by your domain + spam keyword).
Write a 410-Gone rule in .htaccess (Apache) or location block (Nginx) that matches the injection pattern, not individual URLs. For the Aug 2025 hack the pattern was usually /xmlrpc.php?* or /wp-json/spam/* — one regex covered 8,000 URLs.
Test the 410 with curl -I before pushing live: a correct response shows HTTP/1.1 410 Gone, not 302 Found or 301 Moved.
Submit the injected URLs to Search Console Removals tool in batches of 1,000. This speeds the deindex from 4-8 weeks to roughly 24-72 hours per batch.
Monitor Coverage weekly. Expect the 'Crawled, not indexed' bucket to balloon for 2-3 weeks (Google revisits each 410 once) then drop sharply.
After 30 days, switch the 410 rule from regex to a no-op once the injected pattern stops appearing in server logs. Leaving a permanent 410 wildcard can accidentally kill legitimate future URLs.
Real fix, from our work
In August 2025 a UK agency network we maintain was hit with a coordinated injection across 30+ WordPress sites. Each site had 200 to 600 spam URLs in Google's index — gambling, pharma, replica watches — all 302-redirecting through a hijacked xmlrpc.php. The previous developer's instinct was to 301 the spam URLs to each site's homepage. Two weeks later the spam URLs were still indexed, plus the homepage was now ranking for 'cheap viagra'. I killed the 301s, dropped a single 410-Gone regex into each site's .htaccess matching the injection pattern, then submitted the URLs to Search Console Removals in 1,000-URL batches. The 'Indexed' count for spam URLs went from 8,400 across the network to 312 within 28 days, and to zero by week 7. No homepage ranking damage, no manual penalty, no reconsideration request needed. The 410 did the work the 301 could not.
Written by Ali Yasin Jatoi
Founder of WebCare Studios. Ali has worked with WordPress for more than 10 years, including managing a fleet of 150+ sites with WP-CLI automation for updates, security cleanup, and malware removal. He has hands on experience across major hosts including Cloudways, A2 Hosting, Hostinger, and Bluehost.
Site down, hacked, or broken checkout gets a senior engineer within 4 hours. No ticket queues, no bots.
Flat quote up front. If we cannot get you back online, you do not pay. Risk sits with us, not you.
We work on a snapshot first and never touch your live database until the fix is verified safe.
We run a fleet of WordPress sites every day. The errors you are seeing are ones we have closed hundreds of times.
Yes — if the regex accidentally matches a legitimate URL pattern (say, /products/ instead of /products/spam/), you will deindex your own pages. We always test the regex against a list of 50-100 real URLs before deploying, and we keep the 410 in monitoring mode (logged but not served) for 24 hours first.
Without the Removals tool: 4 to 8 weeks, depending on crawl frequency. With the Removals tool: 24 to 72 hours for the submitted batch, then 2 to 4 weeks for the long tail Google crawls organically.
The 410 alone works given enough time. The Removals tool just accelerates it. For a site with under 100 injected URLs, the 410 alone is fine. For a site with thousands, the Removals tool cuts cleanup time from months to weeks.
Bing and Yandex respect 410s but crawl less frequently. Submit a sitemap to Bing Webmaster Tools listing only your real URLs, and use the Bing URL Submission API for the worst spam URLs. Yandex usually self-corrects within 60 days of the 410 deployment.
Yes. The 410 stops the SEO damage from the URLs you have already found. But if new injections keep appearing, the persistence mechanism is still alive. Stop the bleeding before you keep mopping — see our wp-adminerlzp hidden admin user page or mu-plugin persistence page.
Two fields. Email and your URL. A senior WordPress engineer reads it within minutes and replies on email and WhatsApp with what is wrong and what we will do next.
Engineer-narrated walkthrough of this exact problem on a real client site.
Real proof and field guides tied to "WordPress 302 redirect hack (410-Gone fix)".