Free SEO Audit
Security & SEO Tool

Spam & Malware
Page Detector

Scan any URL for injected spam code, hidden links, pharma hack, casino injection, cloaked content, obfuscated scripts, and Japanese SEO spam. Free. Instant. No login.

🕵️
Cloaking Detection
Compares content served to regular visitors vs Googlebot — catches spam hidden only from site owners
💊
Pharma & Casino Hack
Detects pharma keywords, casino spam, payday loan injection, and Japanese keyword hack in live page content
👁️
Hidden Content Scanner
Finds hidden links (display:none), off-screen text, zero-size fonts, and white-on-white invisible spam text
⚠️
Obfuscated Code Detection
Flags eval(), base64_decode(), gzinflate() and hidden iframes used to conceal malicious payloads
🔎 What this scan checks
  • Pharma hack keywords (viagra, cialis, pharmacy) in visible page text
  • Casino, gambling, and payday loan spam keyword injection
  • Japanese / Chinese character injection (Japanese keyword hack)
  • Hidden links and text (display:none, visibility:hidden, zero font-size, off-screen)
  • Hidden iframes (zero-size or invisible) used to load malicious content
  • Obfuscated code: eval(), base64_decode(), gzinflate(), str_rot13()
  • Cloaking — different content served to Googlebot vs regular visitors
  • Spam outbound links pointing to pharma, casino, or adult domains
  • Multiple title tags or injected canonical tags
  • Keyword stuffing and suspicious meta refresh redirects

Spam Scan Results

Clean

🛡️ Spam Risk Profile

Clean

🔧 Recommended Actions

⚡ Quick check gives you
  • Pharma keyword presence (yes/no)
  • Casino / gambling keyword presence (yes/no)
  • Hidden elements detected (yes/no)
  • Obfuscated code (eval / base64) presence
  • Hidden iframe presence
  • Japanese / Cyrillic character injection (yes/no)
  • Script count, iframe count, word count
  • Overall quick risk level: Low / Medium / High

⚡ Quick Check Result

Enter Any Page URL

Paste any URL from your site. The scanner fetches the live HTML as both a regular visitor and as Googlebot, so it can detect cloaked spam that is hidden from you but visible to search engines.

10 Checks Run Automatically

The tool scans for pharma and casino keywords, hidden text, hidden links, obfuscated JavaScript, hidden iframes, Japanese spam characters, spam outbound links, cloaking, keyword stuffing, and suspicious meta tags — all in one pass.

Fix and Re-Scan

Use the spam risk score and Recommended Actions panel to fix each finding. Clean up infected files, remove injected code, update your CMS and plugins, then re-scan to confirm the page is clean.

How Hackers Inject Spam Into Your Website — And How to Find It

Website spam injection is one of the most common and damaging SEO attacks. A compromised page can rank for thousands of spam keywords under your domain, tank your search rankings, and get your site manually penalised or de-indexed by Google — all while the spam is invisible to you as a regular visitor. This tool surfaces every spam signal automatically so you can find and remove injected code before it causes lasting damage.

💊

The Pharma Hack — The Most Common Website Spam Attack

The pharmaceutical hack is the single most common form of website spam injection. Attackers gain access to your server — usually through an outdated plugin, CMS vulnerability, or weak admin password — and inject thousands of hidden pages or hidden text blocks containing pharmacy keywords: "buy viagra", "cheap cialis", "generic levitra", "online pharmacy no prescription".

Why it is so dangerous: the injected content is nearly always hidden from regular visitors using CSS (display:none, visibility:hidden, white text on white background) or cloaking — so you see nothing wrong when you visit your own site. But Google indexes the spam content, and your domain starts ranking for pharmacy terms. This damages your domain's reputation, triggers manual actions from Google, and can result in your entire site being de-indexed.

This tool scans the visible text content and hidden elements of your page for pharma keywords and flags anything suspicious immediately.

🎰

Casino & Gambling Spam — The Second Most Common Injection

Casino and gambling spam follows the same pattern as the pharma hack but targets a different set of keywords: "online casino", "free slots", "sports betting", "poker online". This type of spam is extremely common because gambling sites pay premium rates for links on authoritative domains.

The injection is often done through compromised WordPress plugins, outdated themes, or vulnerable contact forms. The spam links are hidden in your page's HTML using the same CSS hiding techniques as the pharma hack — invisible to you, visible to Google. Your site effectively becomes a link farm for gambling operators without your knowledge.

The Japanese keyword hack is a variant specifically targeting Japanese casino and brand keywords. It creates large numbers of auto-generated pages on your domain in Japanese, which then rank in Japanese search results pointing to scam shopping sites. Our tool detects unexpected Japanese or Chinese characters on non-Japanese pages as a primary signal of this attack.

🕵️

Cloaking — When Hackers Hide Spam Specifically from You

The most sophisticated spam injections use cloaking: serving different content to search engine crawlers than to regular users. When you visit your own page, you see the normal content. When Googlebot visits, it sees thousands of spam keywords, hidden links to casinos and pharmacies, or even entire different pages. Because you never see the spam, the attack can run undetected for months.

This tool detects cloaking by fetching the same URL twice — once with a standard browser user-agent and once with a Googlebot user-agent — then comparing the word count and content of both responses. A significant difference (over 30%) is a strong cloaking signal that warrants immediate investigation.

Note: Some legitimate content (lazy-loaded sections, personalised content, JavaScript-rendered elements) can cause minor differences. This is why the tool flags differences above 10% as a warning and above 30% as a critical issue, so you can investigate the specific cause.

🔐

Obfuscated Code — eval(), base64_decode(), and Hidden Iframes

When attackers inject malicious scripts into your site, they almost always obfuscate the code to avoid detection. The most common techniques are: eval() — executes a string as JavaScript code at runtime, allowing the malicious payload to be hidden inside an innocuous-looking variable. base64_decode() — decodes a base64 string at runtime, hiding the actual malicious code from static inspection. gzinflate() / gzuncompress() — decompresses code at runtime for the same obfuscation purpose.

Hidden iframes (zero-width, zero-height, or display:none) are used to load external malicious pages invisibly inside your page. These can be used for drive-by downloads, clickjacking, or invisible redirects that expose your visitors to malware.

Legitimate sites do occasionally use eval() in analytics scripts or base64 in email obfuscation — so context matters. This tool flags these patterns so you can investigate the specific code, not as definitive proof of a compromise.

Frequently Asked Questions

How do I know if my website has been hacked?

Common signs include: Google Search Console showing pages or keywords you never created, your site ranking for pharma, casino, or loan keywords, visitors being redirected to spam sites, Google showing a "this site may be hacked" warning in search results, or your hosting provider flagging malicious files. Run this scanner on your key pages to identify specific injection patterns automatically.

Will this tool find all malware on my website?

This tool scans a single page's rendered HTML for known spam signals — pharma keywords, casino injection, hidden links, cloaking, obfuscated code, and more. It is designed to surface SEO spam that affects your search rankings. For a complete server-side malware scan (checking PHP files, database entries, .htaccess modifications), you will need a server-level tool like Wordfence, Sucuri, or Maldet in addition to this page-level scanner.

What should I do if spam is found on my page?

Immediately: (1) Change all admin passwords and revoke unknown user accounts. (2) Update your CMS, all plugins, and themes to the latest versions. (3) Check your .htaccess file for suspicious rewrite rules. (4) Scan all PHP files on your server for injected code using a server-side scanner. (5) Submit a reconsideration request in Google Search Console if you received a manual action. (6) Re-scan this page after cleanup to confirm the spam is removed.

Why does the tool show warnings on a legitimate page?

Some legitimate website features trigger the same signals as spam. Hidden elements are used in accordions, tabs, and off-canvas menus. Minor Googlebot vs user content differences occur with lazy loading and personalisation. eval() appears in some third-party analytics scripts. The tool is intentionally sensitive — it is better to flag a false positive you can investigate than to miss real spam. Use the samples provided in each finding to determine whether the flagged code is legitimate or injected.

Is this spam detector tool free?

Yes, completely free. No account, no sign-up, no usage limits, no data stored. Paste any URL, run a full spam scan, and export the results as CSV. Free forever — no trial, no paywall.