Remove casino spam posts on WordPress

You type site:yourdomain.com into Google and find hundreds of casino, sports betting, or online pharmacy pages indexed under your name. Yet your WordPress dashboard looks normal: none of these posts show up in your list of published content. This is a classic SEO spam attack on WordPress, and the fact that these pages are invisible from the admin side is exactly what makes them hard to clean up.

What SEO spam (or “pharma hack”) is

SEO spam is a content injection. An attacker exploits your domain authority to get thousands of fraudulent pages indexed: casinos, slots, betting, drugs, counterfeits. They aren’t trying to wreck your site, they’re using it as free hosting with an SEO reputation that’s already established.

The goal is purely SEO: these pages drive traffic to the attacker’s real sites and pass them link “juice.” As long as the spam stays indexed, it pays off. That’s why it keeps coming back if you only treat the symptoms.

The “pharma hack” is the drug variant (Viagra, Cialis, illegal pharmacies), but the mechanism is identical for casino spam.

Why these pages are invisible in your dashboard

This is the part that throws people off the most. You see nothing in Posts or Pages, yet Google is indexing hundreds of them. A few techniques explain it:

• Cloaking. The injected code detects who’s visiting the page. To Google’s bots, it serves the casino content; to you (logged-in admin or normal visitor), it serves your real page. The spam content exists, but it only shows up for Googlebot.
• Pages generated on the fly. The spam isn’t stored as a real WordPress post. A malicious PHP file builds the casino pages dynamically on each request from Google, off a booby-trapped URL. So they have no presence in the admin interface.
• Hidden post statuses. Sometimes the posts do exist in the database, but with an author, type, or status manipulated so they don’t surface in the standard back-office list.

The practical takeaway: trusting what the WordPress dashboard shows gives you a false sense of cleanliness. You have to measure the scope from the outside.

Measure the real scope

Before you delete anything, map the infection.

• site: search in Google: type site:yourdomain.com and scan the results. Refine with site:yourdomain.com casino or site:yourdomain.com slot to isolate the spam and get a rough count of affected pages.
• Search Console. Open the Coverage / Indexing report: a sudden spike in indexed pages is a strong signal. Also check Security & Manual Actions > Security issues: Google often flags “Hacked content” or “Deceptive pages” there.
• The sitemap. Inspect your sitemap (/sitemap.xml or /sitemap_index.xml). Attackers frequently create fake sitemaps (/sitemap-casino.xml, a bloated /post-sitemap.xml, etc.) and submit them to Google to speed up indexing of the spam. Look for any sitemap file you didn’t generate.

Note the volume and the typical URLs: you’ll need them for the cleanup and then for the deindexing request.

Where the spam is stored

In an SEO spam attack, the content usually hides in three places:

• The wp_posts table in the database. This is the most common spot for fake posts and pages. Look for entries with titles or content containing casino, bet, slot, viagra, poker, or unusual characters.
• The wp_options table and wp_postmeta, where bits of malicious config, footer injections, or header injections can live.
• Injected PHP files (often at the root, in wp-content/uploads/, or disguised as wp-xxxx.php) that generate the pages dynamically and write the fake sitemaps.

The visible spam is just the tip. The PHP files are the machinery, and that’s also where the way in hides.

Remove the injected pages cleanly

Back up the database and files first before doing anything. A SQL deletion can’t be undone.

If the pages are visible in the dashboard

This is the simplest case. Go to Posts or Pages, filter, select the fraudulent items, move them to Trash, then empty the Trash. Be sure to check every status (drafts, pending, private) and every author.

If they’re invisible (database / phpMyAdmin)

Log into phpMyAdmin (or Adminer) through your host. First gauge the extent with a read query:

SELECT ID, post_title, post_type, post_status
FROM wp_posts
WHERE post_title LIKE '%casino%'
   OR post_title LIKE '%slot%'
   OR post_content LIKE '%casino%'
   OR post_content LIKE '%betting%';

Carefully confirm that the results are spam and not legitimate content, then delete:

DELETE FROM wp_posts
WHERE post_title LIKE '%casino%'
   OR post_title LIKE '%slot%';

Heads up: the wp_ prefix may be different on your install (for example wp_a1b2_). Adjust the queries. Then clean up the orphaned metadata tied to the deleted IDs in wp_postmeta.

Delete the rogue sitemap and PHP files

Via FTP/SFTP or your host’s file manager:

• delete any sitemap-*.xml file you didn’t create;
• inspect the root, wp-content/uploads/, and wp-content/ for recent PHP files or files with suspicious names;
• if you use a sitemap plugin (Yoast, Rank Math), regenerate a clean sitemap from its settings after cleanup.

Ask Google to deindex and re-review

Once the site is clean, the spam pages stay in Google’s index for a few days to a few weeks. To speed that up:

• in Search Console, use the Removals tool to quickly hide the most visible fraudulent pages;
• make sure the deleted URLs return a 404 or 410 error (Google will drop them naturally on the next crawl);
• if Google had flagged a security issue, fix everything, then click Request review under Security issues. Describe what you cleaned up. Lifting the warning usually takes one to several days.

For the full review procedure, see our guide to removing the Google hacked-site warning.

Why the spam comes back if you forget the backdoor

This is the most common mistake: you delete the casino pages, breathe a sigh of relief, and three days later they’re back, sometimes in greater numbers. The reason is simple: as long as the backdoor is in place, the attacker re-injects everything automatically.

The backdoor is a piece of PHP code that lets the attacker write to your database and files remotely. It often hides in an outdated plugin, a theme, a disguised .php file, or a WordPress cron task. Deleting the spam without finding the backdoor is mopping up a leak without shutting off the tap.

A full cleanup means identifying the entry point, purging every infected file, changing the passwords (admin, database, FTP), and updating the core, themes, and plugins. The same underlying mechanism shows up when your site redirects to a casino: the root cause is identical, only the symptom changes.

Quick prevention

• update WordPress, themes, and plugins without delay;
• delete inactive plugins and themes (needless attack surface);
• change passwords and turn on two-factor authentication on admin accounts;
• install a security plugin with regular file scans and keep an eye on Search Console.

FAQ

Why can’t I see the casino pages in my WordPress admin? Because they’re served only to Googlebot (cloaking) or generated on the fly by a malicious PHP file, without existing as real posts. Measure the scope with site:yourdomain.com and Search Console, not from the dashboard.

Is deleting the pages enough to fix the problem? No. If the backdoor stays in place, the spam comes back within days. You have to find and remove the malicious code and the entry point, not just the indexed pages.

How long before Google removes the spam pages? From a few days to a few weeks, depending on crawl frequency. The Removals tool and 404/410 responses speed up the process.

---

If you’d rather not poke around in phpMyAdmin yourself and risk breaking your site, WP-Detox handles it. Our free scan measures the real scope of the spam (including the pages that are invisible from the admin side), then the cleanup takes about 30 minutes: removing the injected pages, the fake sitemaps, and the backdoor, with a full backup before any action. All-in at €149, refunded if we can’t fix your site. For the bigger-picture approach, see our guide on what to do when WordPress is hacked.