How to Detect Cloaking Attacks on Your Website

Your website looks perfectly fine when you visit it. But what if Google is seeing something completely different? That's exactly what a cloaking attack does — and it's one of the most dangerous, hardest-to-detect forms of website hacking in 2026.

We recently discovered a roofing company's website that looked normal to every visitor. But when Google's crawler visited the same page, it saw Indonesian gambling spam — specifically, ads for an online slot machine brand called "Mansion77." The business owner had no idea. His rankings were tanking, and he couldn't figure out why.

This guide explains what cloaking attacks are, how to detect them, and what to do if your site has been compromised.

What Is a Cloaking Attack?

Cloaking is a technique where a website shows different content to search engine crawlers (like Googlebot) than it shows to regular human visitors. Legitimate websites don't do this — Google specifically prohibits it in their spam policies.

Hackers exploit cloaking by injecting malicious code into compromised websites. The code detects whether a visitor is a human (by checking the User-Agent string) or a search engine bot, and serves different content accordingly:

• Human visitors see the normal website — the business owner's homepage, services, contact info
• Googlebot sees spam content — gambling ads, pharmaceutical keywords, casino links, or adult content

This is devastating because the website owner never sees the problem. They visit their own site, everything looks fine, and they have no idea Google is indexing spam content under their domain.

Common Types of Cloaking Attacks

1. Japanese Keyword Hack

One of the most common attacks. Hackers inject thousands of pages with Japanese text (often selling counterfeit goods) into your site. Google indexes these pages, and your site starts ranking for Japanese search queries you've never heard of.

2. Indonesian Gambling Spam

Growing rapidly in 2025-2026. Hackers inject content promoting Indonesian online gambling sites (slot machines, poker, sports betting). The injected content often references brands like Mansion77, MPO Slot, or "Situs Slot Dana." We've seen this on dozens of small business websites across the US.

3. Pharma Hack

The classic: your site starts ranking for "buy Viagra cheap" or "Cialis online." The spam is invisible to you but clearly visible to Google. This has been around for over a decade and still catches thousands of sites every year.

4. Redirect Cloaking

Instead of showing different content, the cloaked page redirects bots through a chain of URLs to land on a spam site. Human visitors see the normal page, but Google follows the redirect chain to the spam destination.

How to Detect Cloaking on Your Website

Method 1: Use a Cloaking Detection Tool

The fastest way to check is to use a tool that fetches your page as both a regular browser AND as Googlebot, then compares what each one sees. If the content differs, you have a cloaking problem.

Our Hack & Malware Scanner does exactly this. Enter your URL and it will:

• Fetch your page as Chrome (what you see)
• Fetch the same page as Googlebot (what Google sees)
• Compare the page titles, content length, and body text
• Scan for known spam keywords in both versions
• Check multiple pages automatically (hackers often target /about/ or /services/ pages, not just the homepage)

Method 2: Google Search Console

Log into Google Search Console and check:

1. Security Issues — Google will flag known hacks here
2. Manual Actions — if Google detected cloaking, they may have issued a manual penalty
3. URL Inspection — paste your URL and click "View Tested Page" to see what Google sees. Compare this to what you see in your browser

Method 3: Google Cache Check

Search Google for cache:yourdomain.com. The cached version shows what Google last saw. If the cached version contains spam text that isn't on your actual site, you're cloaked.

Method 4: Manual User-Agent Test

For technical users: use cURL to fetch your page with Googlebot's User-Agent string:

curl -A "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" https://yoursite.com/about/

Compare the output to what you see in your browser. If they're different, you've found the cloaking.

What to Do If Your Site Is Cloaked

1. Don't panic — but act fast. The longer the cloaking stays active, the more damage it does to your rankings
2. Take a backup of your current site (files + database) — you'll need it for forensics
3. Change all passwords — WordPress admin, FTP, hosting, database
4. Scan for malware — use Wordfence (WordPress), MalCare, or Sucuri to find and remove the injected code
5. Check your .htaccess file — this is the most common place for cloaking rules to hide
6. Reinstall core files — reinstall WordPress core, your theme, and all plugins from official sources
7. Request re-indexing — in Google Search Console, submit your cleaned URLs for re-crawling
8. Set up monitoring — use a hack watchlist to get alerted if the attack returns

How to Prevent Cloaking Attacks

• Keep WordPress updated — most cloaking attacks exploit outdated plugins or themes
• Use a security plugin — Wordfence or MalCare provide real-time protection
• Enable two-factor authentication on your WordPress admin
• Monitor your site regularly — run a hack scan monthly to catch problems early
• Check Google Search Console weekly — security issues and manual actions show up here first

Why Most Security Scanners Miss Cloaking

Traditional malware scanners check for known malicious files on your server. But cloaking attacks often don't involve separate malicious files — instead, they inject a few lines of PHP into legitimate files (like your theme's functions.php or .htaccess). The injected code only activates when it detects a bot, so the scanner never triggers it.

That's why dual User-Agent scanning is essential. By fetching the same page as both a browser and a bot, you can detect cloaking that file-based scanners completely miss.

Our free hack scanner is specifically designed for this. It's the same technique we used to discover the Indonesian gambling spam on a local roofing company's website — a hack that had been running undetected for months.

Bottom Line

Cloaking attacks are invisible to website owners, devastating to search rankings, and missed by most security tools. The only reliable way to detect them is to see what Google sees — by fetching your pages with Googlebot's User-Agent and comparing the result to what your browser shows.

If you suspect your site might be cloaked, run a free scan now. It takes 30 seconds, checks multiple pages automatically, and will tell you definitively whether your site is serving different content to search engines.