The site was hacked by a casino spam network. It is contained, but not fully cleaned yet.
Around 22 June 2026, reya.ai was compromised through a user account with administrator access. The attackers run a PBN (Private Blog Network) — an operation that hacks trusted sites to publish casino content and links. Everything reachable from WordPress admin has been cleaned; the remaining infection sits deeper and needs hosting-level access to remove.
- ~22 JuneAttack beginsFirst malicious activity through a compromised account, per the activity log.
- 22–29 JuneSpam published & indexedCasino posts go live; footer links injected; Google indexes 12 spam posts within days.
- ~29 JuneDetection & first responseEntry point traced; malicious plugins and rogue users removed; all passwords reset.
- Early JulySearch cleanup beginsAll 12 spam URLs hidden via Search Console Removals. No manual action confirmed.
- TodayInfection still active below the surfaceSpam keeps reappearing; footer injection still live. Points to a file/database-level backdoor.
- NextDeep clean with hosting accessFull file and database audit with the hosting provider.
The good news Verified
Search Console shows no manual action and no security warning. Google has not penalised the site — the damage is to trust signals, not a formal penalty. Acting within the first week likely prevented browser warnings that would have hit every visitor.
The open risk Urgent
The casino footer links are still live on the site today. Every day they stay, Google re-reads a healthcare domain endorsing gambling sites. The SEO recovery clock cannot start until the backdoor is found and removed — which needs hosting-level access.
This month In progress
Aggressive SEO measures underway: deleted spam URLs are being moved from 404 to 410 Gone to force faster permanent deindexing, while hosting access is arranged for the deep clean.
A casino spam network took control and published through the site
Spam posts 12 indexed
The attackers published casino-related blog posts on reya.ai. Google crawled and indexed 12 of them before they could be caught.
Footer link injection Still live
Casino links were injected into the site footer — anchor text in Russian, French, Polish, Turkish, Hungarian and Danish, all pointing to gambling websites. This injection is still visible on the site today.
Why they do it: the PBN model
A Private Blog Network hacks legitimate, trusted websites and uses them as link farms. Reya.ai's domain trust — built through real content and real authority — is exactly what makes it valuable to them: every casino link on the site passes some of that trust to their gambling pages. They target sites like this deliberately, and they build in ways to stay.
The uncomfortable irony: our own indexing velocity
Over the past three months, our SEO work raised the site's crawl frequency and indexing velocity to the point where a new article could be indexed in about 3 days — content was even being picked up by Google's Gemini. That same speed worked against us during the attack: Google indexed the spam before it could be caught. On a slower site, most of those 12 posts would never have reached the index.
That velocity is not the problem — it's an asset. Once the site is clean, the same speed accelerates the recovery.
Entry through a compromised account with administrator access
Compromised administrator account
The WP Activity Log shows the first malicious actions coming from a user account with administrator privileges. Typical causes are a stolen or reused password — and WordPress had no two-factor authentication at the time, so a password alone was enough to get in.
Two malicious plugins
Using that access, the attackers installed plugins disguised as normal utilities — "Easy Post" and "Speed Optimiser". These did the actual damage: publishing spam and planting deeper hooks into the site.
Extra accounts & a bot
They created multiple extra user accounts and a bot account, so losing one door would not lock them out. Standard practice for PBN operations — they plan to stay.
What Ace Wix could reach
Ace Wix holds WordPress admin access only — the level an SEO agency normally works at. Everything visible and fixable from that level has been handled. The remaining infection lives below it, at the hosting level.
Immediate containment and search cleanup
Inside WordPress Done
· Traced the entry point through the WP Activity Log
· Deleted the two malicious plugins
· Removed every rogue user account, including the bot
· Reset the password of every user on the site
· Deleted all casino spam posts
In Google Search Done
Submitted all 12 indexed spam URLs through Search Console's Removals tool — they are now hidden from results. The hold lasts about 6 months, covering us while permanent removal completes.
Verified in Search Console: no manual action, no security issue. That keeps the recovery path clean.
This month's aggressive SEO measures In progress
Moving the deleted spam URLs from 404 (Not Found) to 410 (Gone). A 404 tells Google "missing, maybe temporary"; a 410 says "removed on purpose, permanently". Google drops 410 pages from the index noticeably faster — this is one of the levers we're pulling to shorten the recovery.
The infection sits below WordPress — and every day it stays live matters
The symptom
After the cleanup, spam posts kept reappearing at regular intervals — and the casino footer links are still live on the site today, weeks after the plugins, users and passwords were dealt with.
The conclusion
The attackers left a backdoor at the file or database level — hidden code that recreates their access and content even after the visible pieces are removed. This layer is not reachable from the WordPress dashboard; it needs hosting-level access to the site's files and database.
Why this is serious Priority 1
Reya.ai is a healthcare platform. Every day the footer keeps linking to gambling sites, Google re-reads a health domain endorsing casinos — the exact opposite of the trust profile the site needs. And the SEO recovery clock cannot start until the infection is fully removed: cleaning search results while the site re-infects itself is pouring water into a leaking bucket. Closing the backdoor is the single most urgent item in this report — which is why the next phase, done with the hosting provider, matters more than anything else here.
A health site linked to casinos: the worst mismatch under Google's trust rules
Google treats health websites as YMYL ("Your Money or Your Life") — topics where bad information can hurt people. For YMYL sites, Google leans heavily on E-E-A-T: Experience, Expertise, Authoritativeness, Trustworthiness. Reya.ai's rankings depend on Google trusting it as a serious healthcare platform — and the hack attacks exactly that trust.
Topic dilution
Search Console now shows casino terms and anchor texts connected to reya.ai. Google's picture of what the site is "about" has been polluted with gambling topics — a drag on every healthcare keyword until it fades.
Trust signals
Outbound casino links from a health domain, spam pages in the index, and spam anchor text all lower the trust side of E-E-A-T. These fade only after the source is gone and Google re-crawls the clean site.
No penalty
No manual action, no security warning. A "hacked site" flag could have put warnings in Chrome for every visitor — far worse for a healthcare company. Acting within the first week likely prevented it.
Timeline cost: the target moves from month 6 to month 9
Deindexing the spam, letting the casino terms fade, and rebuilding trust signals adds roughly one quarter. The keyword set originally projected to reach top positions around month 6 is now projected for month 9.
Ranking projections always depend on Google — these are informed estimates, not guarantees.
A complete audit of the WordPress files and database, with the hosting provider
With hosting access granted, we run a systematic sweep of every layer the attackers could have touched. The goal is simple: find and remove every backdoor, then prove the site stays clean.
Core integrity
Verify the WordPress core files against the official clean versions, so any modified or added file stands out immediately.
Theme & plugin audit
Review the theme and all plugin code for injected code — including the footer injection that is still live. Reinstall from clean official sources where needed.
Malware scan
Scan the full file system for hidden scripts and webshells — attackers commonly plant these where the WordPress dashboard never shows them.
Database audit
Check the database content for injected entries, hidden users and stored spam — including anything that regenerates the spam posts.
Scheduled tasks
Review all scheduled tasks, WordPress and server level. Spam recurring at regular intervals often means a malicious scheduled job is doing the publishing.
Full credential rotation
Rotate every credential the attackers could have copied — hosting, database and FTP passwords, plus WordPress's internal security keys, which force-logs-out every session they might still hold.
Verification window
After the clean, monitor the activity log and file changes for a set period to confirm nothing regenerates. Only then do we call the incident closed — and start the SEO recovery clock.
This work is coordinated with the hosting provider's support team. Specific findings — file locations, affected records — are documented privately during the audit and shared in the closure report.
Prevention and hardening plan
Custom login URL Live
The default WordPress login URL has been changed to a custom one, cutting off the automated bots that hammer the standard login page.
Two-factor authentication Rolling out
Enforce 2FA for every account, mandatory for administrator and editor roles. Each person enrols their own authenticator app — a stolen password alone will never be enough again. This directly closes the door the attackers used.
Security plugin (AIOS) Rolling out
Deploy All-In-One Security: login rate limiting and lockouts, firewall rules, file change detection, and continuous monitoring.
Ongoing watch Continuous
Keep the WP Activity Log running with regular reviews, plus scheduled malware scans and file integrity checks — so any future attempt is caught in hours, not days.
How the search damage unwinds — step by step
Google does not forget instantly, but it does forget. Here is the realistic sequence once the deep clean is complete. The key dependency: every clock below starts only after the infection is fully removed.
Aggressive cleanup measures In progress
Spam URLs hidden via the Removals tool (done) and moved from 404 to 410 Gone this month, telling Google the pages are permanently removed. Hosting access requested for the deep clean.
Permanent deindexing
As Google re-crawls the 410 pages, the 12 spam URLs drop out of the index permanently — not just hidden, gone. The homepage and remaining blog post re-crawl clean once the footer injection is removed.
Casino terms fade from Search Console
With the spam pages and footer links gone, the casino queries and anchor texts lose their source and fade over several weeks of re-crawling.
Trust and topic signals recover
Google's picture of reya.ai re-centres on healthcare. Fresh, high-quality content published in this window speeds it up — the site's strong indexing velocity now works for us again.
Push to the ranking target
With clean signals restored, the original growth plan resumes at full force. The target keyword set is projected to reach top positions around month 9.
Summary: the hack costs roughly one quarter. The foundation built in the first three months — crawl frequency, indexing velocity, content quality — is intact, and it is exactly what makes the recovery this fast.
Monthly SEO updates
Each month's progress report lives here — deindexing progress, Search Console trends, keyword movement and the recovery milestones from the incident report.
The first monthly update will appear here once the recovery work is underway — with real numbers: URLs deindexed, casino terms remaining in Search Console, and keyword movement against the month-9 target.