Some months ago, a former client came to me with a hacked website. The site had not been maintained for 2 – 3 years. In the rush to rebuild the site, I didn’t take the time to tear down the compromise, and now I’m trying to figure out what WordPress processes were involved.
The only two pieces of evidence I have are that the client noticed strange SERPs and that some of the URL not found links in the Search Console have the pattern listed in the title.
My guess is that the hacker injected spam comments through a vulnerability and then used the RSS feed somehow to broadcast the spam. My question is whether my guess is correct, and could I have a few more of the particulars without going to the code level.
I find that when I can supply clients with some details about how the hackers use WordPress structures, they are more likely to agree to the costs of site backups and updates.