About CloakScan

Why I built CloakScan

I've been working with WordPress for over 14 years. I'm an official theme reviewer listed on the WordPress.org make team. I've reviewed hundreds of themes, I know the ecosystem inside out. That didn't save me.

In early 2025, four of my client WordPress sites got hacked through a cloaking attack. One had an outdated plugin I'd missed. Another was running Slider Revolution with a known vulnerability. They weren't sites I was actively monitoring — just projects I'd handed off and moved on from.

The attackers injected thousands of hidden pages — pharma spam, casino links, redirect chains — all invisible to browsers but perfectly visible to Googlebot. By the time I noticed, over 2,500 cloaked pages had been indexed. Two months of silent damage.

The SEO impact was devastating. Rankings collapsed, organic traffic dropped to near zero, and one site got flagged in Google Search Console. Cleaning up took weeks. Rebuilding trust with Google took months. The client relationships were strained.

The worst part? A simple external scan comparing what a normal visitor sees versus what Googlebot sees would have caught it on day one. But no tool I could find did that automatically, on a schedule, without needing server access or a plugin installed.

So I built what I needed

CloakScan is the tool I wish I'd had. It runs external dual-crawl scans — one as a normal browser, one as Googlebot — and compares everything: HTML, headers, structured data, screenshots, redirect chains. If something is being shown only to search engines, it catches it.

No plugins to install. No server access needed. No WordPress dependency. Just a URL. It works on any site, any CMS, any stack.

I built it for people like me — freelancers and agencies who manage client sites and can't afford to check everything manually every day. You set it up once, and CloakScan watches your sites around the clock. If something goes wrong, you know within hours, not months.

Because two months of silence is too long.