Thousands of dummy pages in Google Search console with url parameter /?itm=E1424817 - is this legit or not?

Question

I have a simple WP 2-page site (Homepage and Privacy policy). About a month ago due to plugin vulnerability, it was attacked. We have removed the plugin and I believe everything suspicious. However, I noticed that Google Search Console (GSC) keeps finding thousands of pages that have a generated ITM parameter and look like this https://mydomainok.com/?itm=E1424817.

In URL inspection GSC says this:

Discovery
Sitemaps: No referring sitemaps detected
Referring page: https://mydomainok.com/sitemap.xml

I have inspected the source of the pages and .htaccess and couldn't find anything that would redirect me to those URLs.

Plugins:

CookieYes | GDPR Cookie Consent
Disable Search
Rank Math SEO
W3 Total Cache
Wordfence Security

My first impression was that this was a leftover from the attack before - somewhere there is a URL that points toward my site and my site based on that parameter generates a backlink towards some other site and thus faking SEO backlink. Since we removed the malicious content (presumably) nothing is happening now.

However, GSC as a referral says it is my mydomainok.com/sitemap.xml and I didn't find anything there.

I would like to know what is generating these URLs.

Answer 1

Add this code in robots.txt file.

User-agent: *
Disallow: /  # Disallow all by default

Allow: /$  # Allow the homepage
Allow: /privacy-policy  # Allow the privacy policy page

This configuration tells search engine crawlers to disallow everything by default but explicitly allows indexing for the homepage (/) and the privacy policy page (/privacy-policy).

Make sure to adapt these directives according to your actual URLs and site structure. After making changes, it's advisable to test your robots.txt file using tools like Google's Robots Testing Tool to ensure it's working as expected.