I recently received a notice from Google that a WordPress site I am administering is subject to a "manual spam action" due to "spam generated by the user". The content they have marked does not seem to be on my site, however, instead, they are inbound links from other domains for searches of fake sites, such as "[my domain]/? s =[spammy Korean characters and link to probable porn site]"
I sent a rejection file of links through the Google Search Console and asked that the action be reconsidered. But how can I avoid (for this and other WordPress sites) a similar problem happening again?