Wordpress URLs Not Returning 404 Pages

I need some help with WordPress following a hack.

I've cleaned the hack completely and Google has removed the "This site may be hacked" flag.

The hack submitted a plethora of URLs to Google that contain a random string at the end of each valid URL. These show as Japanese links in google search.

There are URLs listed that show as:

www.example.co.uk/?WGlaVUdsVVNHUnNXVzFzY2xwVE1YbFphVGg1VFZSSmVFOVVTVFZQUjJNOWNFUT14b0g

If I click the link, it shows the sites correct homepage rather than showing a 404 page.

If I go to www.example.co.uk/thispagedoesnotesist it displays the 404 error just fine.

Is there a way I can get pages with these random URL strings to show a 404 error?

Any help or advice would be great.

You can force URLs that contain a long random query string to a 404 with something like the following mod_rewrite directives in .htaccess. This needs to go before your existing WordPress directives:

RewriteCond %{QUERY_STRING} ^\w{30,}$
RewriteRule ^$ - [R=404,L]

A request for the document root (home page) that contains a query string of 30 or more letters/digits then serve a 404.

However, if these are Japanese characters in the URL (as opposed to a-z as in your example) then the above might not match, so try the following instead:

RewriteCond %{QUERY_STRING} ^[^=]{30,}$

Which matches all chars except =.

UPDATE: To match an optional= at the end then you can include =? before the $ in the above regex. For example ^\w{30,}=?$ or ^[^=]{30,}=?$.

If you don't use query strings at all then you could change the RewriteCond directive to the following, which matches any query string (that is at least 1 character).

RewriteCond %{QUERY_STRING} .