Cyber Intelligence
Cybersecurity9 min read

Japanese Keyword Hack: How to Find and Remove It (2026)

Google shows Japanese spam pages on your domain but your site looks normal? That is the Japanese keyword hack. Step-by-step removal: confirm the infection, find the backdoor, clean Search Console, and recover your rankings.

I
Microsoft Cloud Solution Architect
Google search results mockup showing Japanese spam page titles indexed for a hacked website
Google search results mockup showing Japanese spam page titles indexed for a hacked website
website securitySEO spamWordPress securitymalware removalJapanese keyword hackhacked websiteGoogle Search Console

You search for your own website on Google and the results are full of pages you never created: Japanese titles, gibberish URLs, and snippets advertising counterfeit designer goods. Your site looks completely normal when you open it. This is the Japanese keyword hack, one of the most common forms of SEO spam infection, and this guide walks you through confirming it, removing it, and keeping it from coming back.

What is the Japanese keyword hack?

The Japanese keyword hack is a blackhat SEO infection where an attacker compromises your site and silently generates thousands of spam pages filled with Japanese text, usually promoting counterfeit merchandise with affiliate links. The attacker is not interested in your data. They are stealing your domain authority: every spam page they publish on your domain inherits your site's reputation in Google, which makes their counterfeit store links rank.

What makes this infection nasty is cloaking. The malicious code detects who is requesting a page. Regular visitors and logged-in admins see the normal site, while Googlebot gets served the spam. Site owners often stay infected for months because nothing looks wrong in the browser.

How to confirm your site is infected

  1. Run a site: search. Search Google for site:yourdomain.com and scan the results. Indexed pages with Japanese titles you never published are the signature symptom.
  2. Check Google Search Console. Open the Performance report and look for impressions on URLs you do not recognize, often under paths like /shop/, /wp-content/uploads/xxxx/, or random 5 to 8 character directories.
  3. Use the URL Inspection tool in Search Console on a suspicious URL and view the rendered HTML. Because of cloaking, this shows you what Googlebot sees, not what your browser sees.
  4. Check Users and Permissions in Search Console. Attackers frequently verify themselves as owners of your property (via an uploaded HTML token file) so they can submit spam sitemaps and monitor their campaign. An owner you do not recognize is proof of compromise.

You can also run your domain through a remote scanner such as our free website vulnerability scanner to check for known malware signatures, blocklist status, and missing security headers in one pass.

How the hack works

[@portabletext/react] Unknown block type "mermaidDiagram", specify a component for it in the `components.types` prop

The entry point is almost always one of three things: an unpatched plugin or theme vulnerability, a reused or brute-forced admin password, or a compromise of a neighboring site on the same shared hosting account. Once inside, the attacker drops one or more backdoor files so they can reinfect the site even after you delete the visible spam.

Step-by-step removal

1. Take a full backup first

Before touching anything, back up all files and the database. If the cleanup goes wrong, you need a way back, and the infected copy is useful evidence for identifying the entry point later.

2. Remove unknown owners from Search Console

In Search Console, open Settings, then Users and Permissions, and remove any owner or user you do not recognize. Then find and delete their verification token: it is usually an HTML file named like google1234567890abcdef.html in your web root. If you skip the token file, they can re-verify with one click.

3. Find recently modified files

On the server, list files changed in the last 30 days. On Linux hosting with SSH access:

find . -type f -mtime -30 -not -path "./wp-content/cache/*" | sort
# Compare WordPress core files against the official checksums
wp core verify-checksums
wp plugin verify-checksums --all

Look for PHP files in places PHP should not live (wp-content/uploads is the classic hiding spot), files with random names, and legitimate files with recent modification dates you cannot explain.

4. Check .htaccess and wp-config.php

Cloaking is usually implemented in .htaccess rewrite rules that route Googlebot requests to a spam generator script, or in PHP conditionals that check the user agent. Review every .htaccess file on the account (there are often several), and inspect wp-config.php for suspicious include or eval statements referencing files in uploads or temp directories.

5. Remove backdoors, not just spam pages

Deleting the spam directory without removing the backdoor guarantees reinfection within days. Search the codebase for the usual suspects:

grep -rn --include="*.php" -E "eval\s*\(|base64_decode|gzinflate|str_rot13|assert\s*\(" wp-content/ | grep -v "wp-content/plugins/KNOWN-GOOD"

Not every match is malicious (some plugins legitimately use these functions), but a short obfuscated file that chains base64_decode into eval is a backdoor. When in doubt, compare against a fresh copy of the plugin from the official repository.

6. Reinstall core, themes, and plugins from clean sources

Replace WordPress core, all plugins, and the active theme with fresh downloads. Delete anything abandoned or nulled. Nulled premium plugins are one of the most common infection vectors for this exact hack.

7. Clean the database and rotate every credential

Check wp_options for injected content, review wp_users for admin accounts you did not create, then rotate all passwords: WordPress admins, database, FTP or SFTP, hosting control panel, and the salts in wp-config.php.

8. Remove the spam from Google's index

Once the spam URLs return 404 or 410, Google drops them naturally, but you can accelerate it. Delete any spam sitemaps from Search Console, then use the Removals tool for the worst URL prefixes. Google's own writeup of this infection, Fix the Japanese keyword hack, recommends requesting reindexing of your legitimate pages once the cleanup is done.

What recovery looks like

MilestoneTypical timeline
Spam pages start dropping from the index3 to 14 days after cleanup
Security warnings cleared (if flagged)1 to 3 days after review approval
Organic rankings begin recovering2 to 6 weeks
Full ranking recovery1 to 3 months, longer if a manual action was applied

Check the Manual Actions report in Search Console. If Google applied a "hacked site" manual action, you must request a review and describe what you cleaned before rankings recover.

When to bring in professionals

A manual cleanup takes a developer several hours and one missed backdoor undoes all of it. If the site generates revenue, or you do not have SSH access and file-level comfort, a professional incident response service is the pragmatic route. Sucuri's malware removal service cleans the infection, removes the backdoors and rogue Search Console verifications, and submits the blocklist review requests for you, with unlimited cleanups included in the flat annual plan. Their analysts deal with this specific hack daily.

Preventing reinfection

  • Patch fast. Most infections start with a plugin vulnerability that had a fix available for weeks. Enable auto-updates for plugins and core minor releases.
  • Put a WAF in front of the site. A cloud firewall like Sucuri's website firewall virtually patches known plugin exploits at the edge, before requests reach your server. This closes the window between a vulnerability being disclosed and you updating.
  • Enforce strong auth. Unique passwords plus two-factor authentication on WordPress admin, hosting, and FTP accounts.
  • Monitor continuously. Weekly site: checks, Search Console email alerts turned on, and file integrity monitoring on the server.
  • Reduce attack surface. Delete inactive plugins and themes entirely. Deactivated code is still exploitable code.

Frequently asked questions

Why is the spam in Japanese?

The campaigns behind this hack monetize counterfeit goods marketplaces that target Japanese shoppers, where brand-name counterfeits are a large affiliate market. The same technique also appears with Korean, Chinese, and pharmacy spam. The cleanup process is identical.

My site looks fine. Can I ignore it?

No. The spam is cloaked, so your browser view proves nothing. Meanwhile Google is indexing thousands of junk pages under your domain, your rankings are bleeding, and Safe Browsing may eventually flag the whole site, which triggers a browser warning that turns visitors away.

Does deleting the spam pages fix the hack?

No. The pages are generated by a script the attacker controls through a backdoor. Delete the pages without the backdoor and they return, often within 48 hours. The backdoor and the entry point are the actual infection.

Will Google penalize my site permanently?

No. Once the spam is removed and any manual action review passes, rankings recover. The recovery is slower than the cleanup, typically a few weeks, because Google recrawls and revalidates your URLs gradually.

How did attackers get into my Search Console?

They did not break into your Google account. They uploaded a verification token file to your already-compromised server, which proves "ownership" to Google. That is why removing the rogue owner without deleting their token file on the server does not lock them out.

Can this happen on non-WordPress sites?

Yes. WordPress is the most common target because of its plugin ecosystem, but Joomla, Magento, and custom PHP sites get hit through the same pattern: an exploitable entry point, a webshell, and cloaked spam generation.

Conclusion

The Japanese keyword hack is loud in Google and invisible on your own screen, which is exactly why it persists. Confirm it with a site: search and Search Console, clean files and database, evict the attacker from Search Console, and above all find the backdoor. If you would rather have specialists handle it end to end, professional malware removal is a one-day fix. Afterward, patch aggressively and keep a firewall in front of the site so you never write the sequel to this incident.

Related reading: our free website vulnerability scanner and the complete ransomware defense guide.

S

Recommended: Sucuri

Website security platform: firewall, malware scanning, and DDoS protection.

Protect Your SiteUp to 25% per sale
Free download

Security Hardening Checklist

Essential security controls for cloud-native applications and infrastructure.

No spam. Unsubscribe anytime.

Get weekly security insights

Cloud security, zero trust, and identity guides: straight to your inbox.

Continue Learning

SOC Analyst Level 1 Roadmap

Get job-ready for your first Security Operations Center role.

Start the Beginner Path10h 路 4 topics 路 10 quiz questions
I

Microsoft Cloud Solution Architect

Cloud Solution Architect with deep expertise in Microsoft Azure and a strong background in systems and IT infrastructure. Passionate about cloud technologies, security best practices, and helping organizations modernize their infrastructure.

Share this article

Questions & Answers

Ask a Question

0/2000 characters

Your email is used for moderation only and will not be displayed.

Related Articles

Need Help with Your Security?

Our team of security experts can help you implement the strategies discussed in this article.

Contact Us