Virus URLs affecting our SEO for 7 months+

I'm at my wits end with this and desperately need a solution.

Our Wordpress site was hacked back in August of last year.

The hackers installed a virus that somehow generated tens of thousands of suspicious URLs across our single domain with reference to all sorts: CBD gummies, male growth hormone, pills, weight loss products, supplements etc all with random letters and numbers in the URL.

Screenshots here: https://imgur.com/a/viJI1tA

We have since moved away from the Wordpress site and migrated to Webflow and used an SEO agency to help us with setting up correct 301 redirects from our old site structure. This was back in September that our new Webflow site went live.

The SEO agency have told us (and charged us thousands) for 'removals' of the virus URLs.
However, the URLs are still appearing as 404s under indexing on GSC and are supposedly being crawled.

There are around 12,000 of them, with the last URL supposedly being crawled just a few days ago.
Does anyone have any idea how the hell we sort this?

TLDR: Wordpress site hacked Aug 2023. Moved to Webflow Sep 2023. Despite SEO agency's work, there are still 12,000 404 errors in GSC.

That sucks, sorry. Had this happen to one of my sites once, as well.

Have you checked that the 301s are still working? If not, you could redirect them again.

Since you're using Webflow (which I've never used), you'd have to set up a redirect through their dashboard. I think something like this could work, so long as there aren't any valid pages that start with "z" and end in ".html" that you don't want redirected:

• Old path: /z(*)/(*)\.html
• Redirect to path: /

That's assuming all the spam pages follow that format shown in the image you shared, like "/z77922/thc.html"

More info: https://university.webflow.com/lesson/set-301-redirects-to-maintain-seo-ranking?topics=seo

You can also create a robots.txt file (https://university.webflow.com/lesson/disable-search-engine-indexing?topics=site-settings#generating-a-robots-txt-file) with this rule, but it's kind of a blunt instrument:


This rule tells web crawlers to avoid indexing any URLs that start with /z. It's a broader rule than what you might be aiming for, but it's necessary due to the limitations of the robots.txt syntax. If there are other legitimate URLs that start with /z and you want them to be indexed, this approach wouldn't work.

If you're using Cloudflare or a similar service that allows page rules you could also set up redirects that way.

And you can always use Google's URL Removal Tool again.

Good luck!

We got one from a wordpress theme reseller (one of those ones where you pay a small amount for a group buy of expensive themes). It's all done at the database level, hidden from your users. Swap the theme. Then you need to go in and find the user that was created in the database, and remove them and their posts from the site.

Get help from a cybersecurity expert to fully clean up the hacked URLs and prevent future attacks