How I Cleaned a WordPress “Matbet” SEO Spam Hack After Google Search Console Exploded to 3.45 Million Impressions

A client contacted me after their WordPress site started showing one of the clearest signs of a major SEO spam infection: Google Search Console suddenly exploded with millions of impressions for keywords they had never targeted.

Instead of ranking for their real business topics, the site was suddenly appearing for gambling terms like “matbet” and thousands of related spam queries. In just a few days, impressions jumped from around 100 to more than 3.45 million, with over 81.5K clicks. That was not growth. It was a hacked-site cloaking campaign using the client’s domain authority to rank spam pages in Google.

When I investigated the WordPress installation, I found a layered infection that included fake plugins acting as backdoors, modified core files, and hidden administrator accounts. This case study explains how I traced the attack, removed the infection, and started the recovery process so Google could recrawl the cleaned site.

If your site is showing strange gambling keywords, spam traffic spikes, or hacked content in Google, start with my WordPress malware removal service.

Quick Summary

• Main symptom: sudden spike to 3.45 million impressions and 81.5K clicks from spam queries
• Top spam keyword: matbet and related gambling terms
• Attack type: WordPress SEO spam / casino spam / cloaking-style hacked content
• Main infection points: fake plugins, modified core files, hidden admin users
• Business risk: brand damage, search pollution, possible security warnings, long-term SEO cleanup
• Cleanup actions: removed fake plugins, replaced core files, scanned deeper with Wordfence, removed hidden admins, hardened access
• Recovery actions: submitted updated sitemap, used Search Console URL inspection and recrawl workflow on affected URLs

The first warning signs

The client noticed two major red flags inside Google Search Console:

1. Massive traffic and impression spike
   Impressions suddenly jumped from roughly 100 to more than 3.45 million, with over 81.5K clicks, even though the business had not published new content or launched a campaign.
2. Spam gambling keywords
   The top query driving visibility was “matbet”, along with thousands of related gambling phrases that had nothing to do with the real website.

This is one of the most common patterns I see in large-scale WordPress SEO spam incidents: the real site still looks normal to the owner, but search engines are being shown hacked spam content designed to hijack impressions and clicks.

Why this was a cloaking-style SEO spam attack

This infection behaved like a cloaking-style hacked spam attack. The malicious code showed the real website to normal visitors in many cases, while search engines and selected user agents were served spam pages optimized for gambling terms.

That matters because the site owner often does not see the full damage in a normal browser session. They only notice it when Search Console starts filling with junk keywords, indexed spam URLs, or massive unexplained impression spikes.

If your site is behaving differently for Google than it does for you, that is always a serious warning sign.

What I found during the investigation

When I moved into the forensic cleanup, I found a multi-layer infection rather than one single malicious file.

1. Fake plugins acting as backdoors

The attackers had installed several fake plugins that looked harmless on the surface. In reality, they were backdoors that gave the attacker persistent access to the site. These are common in hacked WordPress environments because they blend into the admin area and survive partial cleanups.

Related reading: known fake and malicious WordPress plugins

2. Modified WordPress core files

Core files such as index.php had been altered. Instead of simply breaking the site, the injected code helped decide when to serve the spam payload and when to keep showing the normal website.

3. Hidden administrator accounts

The attackers had also created hidden or unauthorized administrator access so they could continue controlling the site even if a visible plugin was removed.

Related reading: how hidden admin users are created in WordPress

How I cleaned the Matbet infection

Cleaning this kind of hacked WordPress site requires a layered process. Removing only the visible spam is never enough if the real entry points and persistence mechanisms are still there.

Step 1: Remove the fake plugins and backdoors

The first job was to cut off the attacker’s easiest way back in. I identified and removed the fake plugins that were acting as hidden access points.

Step 2: Replace compromised WordPress core files

When core files are infected, I do not trust line-by-line edits alone. I replaced the compromised wp-admin and wp-includes areas with clean WordPress core files from a trusted source so that altered core behavior would be removed completely.

This is one of the safest ways to clean infected WordPress core files when you already know they have been modified.

Step 3: Run a deeper content and file scan

After the core replacement, I used a high-sensitivity malware scan workflow to find additional infected files inside wp-content, including theme and upload-related areas. Those infected files were then removed or replaced as needed.

Step 4: Audit and clean user access

I reviewed all administrator accounts, removed the unauthorized hidden users, and forced credential hygiene for the legitimate users so the attacker could not simply log back in.

Why this infection was so dangerous

This kind of attack can be devastating because it damages three things at once:

• Search visibility: Google starts associating the domain with spam and gambling content
• Brand trust: users may see hacked or suspicious URLs in search results
• Recovery time: even after cleanup, Google may take time to recrawl and stop surfacing the spam pages

That is why hacked SEO spam is not just a technical nuisance. It becomes a business reputation problem very quickly.

What I did after the malware cleanup

Once the live infection was removed, the recovery work shifted into search cleanup and hardening.

• submitted an updated sitemap to help Google discover the cleaned site structure again
• used Search Console’s URL inspection / recrawl workflow on key affected URLs
• reviewed user access and hardening settings
• added stronger login protection and account hygiene

That part is important because malware cleanup and search cleanup are not always the same job. The code can be gone while the spam footprint still lingers in Google’s index for some time.

Related reading: how I removed 10,500 SEO spam URLs from Google in 12 days

How to recognize this kind of hacked SEO spam early

If you see any of these signs, investigate immediately:

• Search Console impressions suddenly spike for no good reason
• new top queries contain gambling, casino, pharmacy, or foreign-language spam terms
• site content looks normal to you, but indexed pages in Google look wrong
• random URLs you never created start appearing in Search Console
• traffic rises sharply but does not match real business behavior

Related reading: how to detect WordPress malware

What site owners should learn from this case

• A sudden spike in impressions is not always good news.
• Spam keywords in Search Console usually mean the compromise is already serious.
• Fake plugins and hidden admins are common persistence methods.
• Replacing known-compromised core files is often safer than trying to patch them manually.
• Recovery does not end when the malware is removed; Google still needs to recrawl the cleaned site.

FAQ

Why is my WordPress site suddenly ranking for gambling keywords like Matbet?

That usually means your site has been hacked with SEO spam or cloaking malware. Attackers use your domain’s existing trust to rank their spam pages in Google.

Why do I not see the spam pages on my website?

Because cloaking-style hacked spam often shows different content to normal visitors and search engines. The site may look normal in your browser while Google is seeing something else.

Can fake plugins cause recurring hacked spam problems?

Yes. Fake plugins are a common backdoor method. They can let attackers keep access even after parts of the visible infection are removed.

Should I just delete the spam posts and move on?

No. Deleting visible spam is not enough if the backdoors, infected core files, or hidden admin users are still there. The site must be cleaned properly at every level.

What should I do after cleaning a hacked SEO spam infection?

After cleanup, update your sitemap, use Search Console recrawl tools where appropriate, harden user access, and monitor for reinfection or strange new indexed URLs.

Related Reading

• WordPress Malware Removal Service
• How to detect WordPress malware
• Known fake and malicious WordPress plugins
• How hackers create hidden admin users in WordPress
• WordPress malware removal guide
• Removing 10,500 SEO spam URLs from Google

Need help cleaning a hacked WordPress site full of spam keywords?

I’ve worked on thousands of WordPress malware cleanups, including SEO spam, cloaking malware, fake plugins, redirect infections, hidden admin abuse, and large-scale search pollution incidents. If your Search Console is suddenly full of gambling keywords, spam clicks, or URLs you never created, I can help you trace the real cause and clean it properly.

Hire me or go directly to my WordPress malware removal service.