You type site:yourdomain.com in Google and discover hundreds of pages in Japanese that you never created. The titles contain incomprehensible characters, the descriptions mention counterfeit products, and your organic traffic is collapsing. You are a victim of the Japanese Keyword Hack, one of the most widespread SEO spam attacks on WordPress.

How to clean a Japanese keyword hack on WordPress (7 etapes)

1
Confirm the infection — Search site:yourdomain.com in Google and check for Japanese-language spam pages in the results.
2
Secure all access credentials — Change every password including WordPress admin, FTP, database, and hosting panel accounts.
3
Clean the .htaccess file — Replace your .htaccess with a clean default WordPress version to remove cloaking rules.
4
Remove malicious PHP files — Scan for and delete suspicious PHP files in wp-content/uploads and other non-standard locations.
5
Reinstall WordPress core and plugins — Download fresh copies of WordPress core, themes, and plugins from official sources.
6
Clean the database — Remove spam posts, unknown user accounts, and malicious cron jobs from the WordPress database.
7
Request Google re-indexing — Configure 410 responses for spam URLs and submit a reconsideration request via Search Console.

What Is the Japanese Keyword Hack?

Understanding the Attack

The Japanese Keyword Hack (also called Japanese SEO Spam) is a hacking technique where the attacker injects thousands of Japanese-language pages into your WordPress site. These pages are automatically generated and contain links to sites selling counterfeit products: luxury handbags, watches, designer clothing.

The hacker's goal is not to destroy your site. It is to exploit your domain authority to rank their spam pages in Google search results. Your site becomes an SEO tool serving the hacker's interests.

Why Hackers Target WordPress

WordPress powers over 43% of all websites worldwide. This massive popularity makes it a prime target:

Vulnerable plugins: a single flaw in a plugin installed on millions of sites opens a massive attack vector.
Neglected updates: sites that are not updated expose known and documented vulnerabilities.
Weak credentials: brute force attacks on /wp-login.php exploit predictable passwords.
Shared hosting: a compromised site on a shared server can allow access to neighboring sites.

To learn about other forms of WordPress malware, check our guide to common WordPress malware types.

How the Hack Works Technically

The Injection Mechanism

The hacker exploits a vulnerability (plugin, theme, credentials) to access your site. Once inside, they deploy a malicious PHP script that:

Creates ghost pages: thousands of pages are generated in your database or as PHP files in hidden directories.
Modifies the sitemap.xml: the hacker generates a sitemap containing all spam page URLs to accelerate their indexation by Google.
Injects links into your existing pages to transfer authority to the spam pages.
Installs a backdoor: a hidden PHP file that allows the hacker to return even after a partial cleanup.

Cloaking: The Concealment Technique

Cloaking is the reason you do not see the spam pages when visiting your site normally. The malicious script detects who is visiting the page:

If it is Googlebot (Google's crawler): the script displays the Japanese spam content.
If it is a human visitor: the script shows your normal page or redirects to the hacker's site.
If it is a logged-in administrator: the script hides completely.

This is why many site owners do not detect the problem until weeks or months after the infection, when Google starts indexing the spam pages and organic traffic drops.

Sitemap Manipulation

The hacker often creates one or more additional sitemap files:

/sitemap-ja-1.xml
/sitemap-ja-2.xml
/wp-content/uploads/sitemap.xml

These sitemaps contain the spam page URLs and are submitted to Google via Search Console (if the hacker managed to verify themselves as owner) or simply linked from the modified robots.txt.

Adding Owners to Google Search Console

A sophisticated hacker adds their own account as a verified owner in Google Search Console. This allows them to:

Submit sitemaps containing spam pages.
Monitor the performance of their spam pages.
Prevent URL removal if you do not detect them.

How to Detect the Infection

Method 1: The site: Operator in Google

The fastest method to check if your site is infected:

site:yourdomain.com

If you see results with Japanese character titles or descriptions containing luxury brand names in Japanese, your site is compromised by an SEO spam malware.

You can refine the search:

site:yourdomain.com intitle:japanese_characters

Replace japanese_characters with specific terms if you have spotted them in the results.

Method 2: Google Search Console

Log into Google Search Console and check:

Security issues: Search Console typically displays a "Hacking detected", "Hacked content", "Content injection" or "Malicious redirects" warning.
Indexed pages: in the coverage report, look for a sudden increase in the number of indexed pages.
Performance: check if Japanese queries appear in the performance report.
Verified owners: in property settings, verify that no unknown owner has been added. Immediately remove any account you do not recognize.
Sitemaps: check submitted sitemaps. Remove any sitemap you did not create.

Method 3: Server File Inspection

Connect to your server via FTP or SSH and look for:

Recently modified files in directories where they should not be:

find /var/www/html -name "*.php" -mtime -30 -type f

Suspicious files in /wp-content/uploads/ (this directory should only contain images and documents, not PHP files).
The .htaccess file at the root: check if it contains unusual redirect or cloaking rules.

Method 4: Server Log Analysis

Access logs can reveal suspicious connections:

grep "POST /wp-login.php" /var/log/apache2/access.log | tail -100

Look for massive login attempts (brute force) or POST requests to unusual PHP files in /wp-content/uploads/.

Step-by-Step Cleanup Guide

Step 1: Immediate Security Measures

Before cleaning anything, secure access:

Put your site in maintenance mode to prevent visitors from accessing infected content.
Create a complete backup (files + database). Even though the site is infected, this backup will be useful for comparison.
Change all passwords:
- WordPress administrators (all accounts).
- FTP/SFTP access.
- cPanel or hosting panel access.
- MySQL database.
- WordPress security keys in wp-config.php.

To change security keys, replace the values in wp-config.php with new keys generated at api.wordpress.org/secret-key:

define('AUTH_KEY',         'new-unique-key');
define('SECURE_AUTH_KEY',  'new-unique-key');
define('LOGGED_IN_KEY',    'new-unique-key');
define('NONCE_KEY',        'new-unique-key');
define('AUTH_SALT',        'new-unique-key');
define('SECURE_AUTH_SALT', 'new-unique-key');
define('LOGGED_IN_SALT',   'new-unique-key');
define('NONCE_SALT',       'new-unique-key');

Step 2: Clean the .htaccess File

The .htaccess file is often modified to implement cloaking. Here is what a clean WordPress .htaccess looks like:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

If your .htaccess contains additional rules you do not recognize (especially conditions based on Googlebot's User-Agent), replace it entirely with the clean version above.

Also check for additional .htaccess files in subdirectories (/wp-content/, /wp-includes/, etc.).

Step 3: Remove Malicious PHP Files

Search for and remove suspicious PHP files:

# Find PHP files in the uploads directory
find /var/www/html/wp-content/uploads/ -name "*.php" -type f
 
# Find files with suspicious content
find /var/www/html -name "*.php" -type f | xargs grep -l "eval(base64_decode"
find /var/www/html -name "*.php" -type f | xargs grep -l "eval(gzinflate"

Malicious files are often hidden with innocuous names like wp-config-backup.php, class-wp-cache.php, or random names like xkdf8s.php.

Common backdoor locations:

/wp-content/uploads/ (PHP files that should not be there).
/wp-includes/ (files that are not part of the WordPress core).
/wp-content/themes/ (in inactive themes).
/wp-content/plugins/ (in deactivated plugins or suspicious folders).
At the site root (unknown PHP files).

Step 4: Reinstall WordPress Core

Download a fresh copy of WordPress from wordpress.org and replace:

The entire /wp-admin/ folder.
The entire /wp-includes/ folder.
PHP files at the root (except wp-config.php which you already cleaned).

Do not touch the /wp-content/ folder at this stage (it contains your themes, plugins, and media).

Step 5: Reinstall Themes and Plugins

Note the list of your active themes and plugins.
Completely delete the folders for all themes and plugins.
Re-download them from the official WordPress.org directory or from the vendor's site for premium versions.
Never use "nulled" (pirated) themes or plugins: they often contain backdoors.

Step 6: Clean the Database

Connect to phpMyAdmin or use WP-CLI to:

Remove unknown users:

SELECT * FROM wp_users WHERE user_login NOT IN ('your_login', 'other_legitimate_admin');

Delete any user you do not recognize.

Search for spam pages:

SELECT ID, post_title, post_date FROM wp_posts
WHERE post_title LIKE '%japanese_characters%'
OR post_content LIKE '%japanese_characters%'
ORDER BY post_date DESC;

Check for suspicious options:

SELECT * FROM wp_options WHERE option_name LIKE '%sitemap%';
SELECT * FROM wp_options WHERE option_value LIKE '%eval%';
SELECT * FROM wp_options WHERE option_value LIKE '%base64%';

Clean malicious cron jobs:

SELECT * FROM wp_options WHERE option_name = 'cron';

Hackers often add scheduled tasks that regenerate the malware even after cleanup.

Step 7: Verify wp-config.php

Open wp-config.php and verify:

That it does not contain eval(), base64_decode() code, or external file inclusions.
That database credentials are correct.
That security keys were properly changed (step 1).
That there is no PHP code before the opening <?php tag or after the last line.

SEO Recovery After Cleanup

Technical cleanup is only half the work. Now you need to recover your search rankings.

Configure 410 Gone Responses

Spam page URLs should return an HTTP 410 (Gone) code rather than a 404. The 410 code tells Google the page has been permanently removed and accelerates deindexation.

Add to your .htaccess:

# Japanese spam pages - 410 response
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^spam-url-pattern - [G]
</IfModule>

Or use a redirect plugin to configure mass 410 responses.

Use the URL Removal Tool

In Google Search Console:

Go to Removals > New request.
Submit spam page URLs one by one, or use a prefix if the URLs share a common pattern.
These removals are temporary (6 months). The 410 code ensures permanent removal.

Submit a New Sitemap

Delete all submitted sitemaps in Google Search Console.
Generate a new clean sitemap with your SEO plugin (Yoast, Rank Math, etc.).
Submit the new sitemap in Google Search Console.
Verify that the sitemap only contains your legitimate pages.

Request a Security Review

If Google flagged your site with a security warning:

In Google Search Console, go to Security Issues.
Check "I have fixed these issues."
Click Request a review.
Google reviews your site within a few days to a few weeks.

Patience required: complete removal of spam pages from Google's index can take several weeks to several months. This is normal. Continue publishing quality content and submitting your sitemap to speed up the process.

Prevention: Stopping the Hack From Returning

Systematic Updates

Update WordPress, plugins, and themes as soon as a new version is available. See our WordPress maintenance guide for a complete update plan.
Enable automatic updates for security patches.
Remove inactive themes and plugins: a deactivated plugin that is still present on the server remains an attack vector.

Security Plugin

Install a security plugin like Wordfence or Sucuri Security:

Web Application Firewall (WAF) to block malicious requests.
Regular file scanning to detect suspicious modifications.
Alerts for suspicious login activity.
Login attempt limitation.

Check our comprehensive WordPress security guide and our WordPress security service for enhanced protection.

Access Hardening

Strong passwords: minimum 16 characters, randomly generated.
Two-factor authentication (2FA) on all administrator accounts.
Login attempt limitation: block IP addresses after 5 failed attempts.
Custom login URL: change /wp-login.php to a custom URL.
Disable XML-RPC if you do not use it.

Continuous Monitoring

Set up Google Search Console alerts to be notified of security issues.
Regularly check WordPress users: no unknown accounts should appear.
Implement automatic security scanning (daily or weekly).
Monitor critical files (.htaccess, wp-config.php, index.php) for any modifications.

If you prefer to leave this monitoring to professionals, discover our WordPress malware removal service.

Japanese Spam vs Chinese Spam: What Is the Difference?

The Japanese Keyword Hack and Chinese Keyword Spam use similar techniques but with some differences:

Aspect	Japanese Spam	Chinese Spam
Language	Japanese (Kanji, Hiragana, Katakana characters)	Simplified Chinese (Hanzi characters)
Products promoted	Luxury counterfeits (bags, watches, clothing)	Various products (electronics, pharmaceuticals, gambling)
Technique	Advanced cloaking + sitemaps	Injection into existing pages + cloaking
Detection	Ghost pages in Google index	Links and content injected into existing pages
Cleanup	Similar (files + database + sitemaps)	Similar (files + database)

Both types of attacks exploit the same vulnerabilities and are cleaned the same way. The main difference is cosmetic: the language and products promoted.

To understand other signs of a hacked site, check our guide to signs your WordPress site is hacked.

FAQ: Frequently Asked Questions

Why does my WordPress site show Japanese pages in Google?

Your site is a victim of the Japanese Keyword Hack. A hacker exploited a vulnerability (outdated plugin, weak password, vulnerable theme) to inject thousands of Japanese spam pages. These pages use cloaking to hide from you but display for Googlebot, which explains why you only see them in search results.

Does reinstalling WordPress remove the hack?

Partially. Reinstalling WordPress core (/wp-admin/ and /wp-includes/ folders) removes malware present in those files. But backdoors in /wp-content/uploads/, database injections, and malicious sitemaps are not removed. A complete cleanup of files AND the database is necessary.

How long does it take Google to remove spam pages from the index?

After a complete cleanup and a review request in Google Search Console, Google typically starts removing pages within 2 to 4 weeks. However, for a site with thousands of spam pages, complete deindexation can take 2 to 3 months. 410 Gone responses and the URL removal tool speed up the process.

Can my site be reinfected after cleanup?

Yes, if the original vulnerability is not fixed. Cleanup removes the malware, but if the vulnerable plugin is not updated, if passwords are not changed, or if a backdoor was missed, the hacker can return. This is why prevention measures (updates, security plugin, 2FA) are essential.

How do I know if my site is completely clean?

Several checks to perform:

site:yourdomain.com in Google no longer shows Japanese pages.
Google Search Console no longer reports security issues.
A security scan (Wordfence, Sucuri SiteCheck) detects nothing.
Server files no longer contain malicious code.
No unknown users are present in WordPress.
The sitemap contains only your legitimate pages.

Does the hack affect my SEO ranking long-term?

In the short term, your organic traffic will drop significantly (some sites lose 80 to 90% of their traffic). After a complete cleanup and spam page deindexation, traffic gradually returns within 1 to 3 months in most cases. Sites that react quickly and were in good SEO health before the hack generally recover their original rankings.