Japanese keyword hack on WordPress

Japanese pages indexed under your name, titles full of Asian characters in Google? That's the Japanese keyword hack. Here's how to identify and clean it.

By WP-Detox 6 min read

You type your site name into Google and land on Japanese titles, descriptions full of Asian characters, pages you never created. This is the Japanese keyword hack, the name Google itself gives this attack. Your WordPress is generating thousands of Japanese pages behind your back that point to fake storefronts, and the worst part is that everything looks normal when you log into the admin.

What the Japanese keyword hack looks like

The main symptom shows up in search results, not on your site. When you run site:yourdomain.com on Google, you see:

  • Japanese titles and descriptions under your domain name
  • hundreds, sometimes thousands of URLs you don’t recognize (often something like /product-12345.html or strings of digits)
  • pages that lead to fake online stores, fake luxury goods, or counterfeit products

In Search Console, the telltale sign is a sudden spike in the number of indexed pages. You jump from a few dozen to several thousand URLs in a matter of days. Some owners also notice unexpected international targeting in the performance reports: traffic and impressions coming from Japan when your site is in English.

The detail that makes this attack confusing: it’s all invisible in the WordPress dashboard. You won’t see these pages in your posts, your pages, or anywhere in the admin. That’s normal. The malicious code uses cloaking: it serves the Japanese pages only to Googlebot and search engines, and shows your real site to you, the human visitor. That’s why you can be hacked for weeks without noticing, until the day a customer or Google warns you.

It’s an SEO spam injection, like casino spam

The Japanese keyword hack is a variant of a broader family: SEO spam injection. The attacker doesn’t want to break your site, they want to use its reputation with Google to get their own spam pages indexed. Japanese is a specific case (often fake e-commerce, counterfeit branded products), but the mechanism is identical to the same logic on the casino spam side, where the injected pages are about betting and gambling.

Don’t mix up the two. If your parasite pages are about casino, slots, or betting, follow the casino guide instead. If they’re in Japanese and point to stores, you’re in the right place. The cleanup is similar, but the targeted files and locations differ slightly.

Where the code hides

Once inside (most often through a vulnerable plugin or theme, or a weak admin password), the attacker plants themselves in several places to survive a partial cleanup. You’ll typically find:

  • injected PHP files, either brand new or grafted onto the top of legitimate files like index.php, wp-config.php, or theme files
  • entries added to the database, especially in the wp_options table (an oddly named option that stores the spam configuration)
  • one or more fake XML sitemaps at the root of the site, which the attacker submits to Google to get their pages indexed faster
  • an extra administrator account, created to keep access even if you change your password
  • a scheduled task via wp-cron that regenerates the spam automatically, which explains why the pages come back when you only delete files

That last point is what trips up most people. You delete the files, you clean the database, everything seems gone, and three days later the spam is back. The scheduled task did its job. As long as you haven’t disabled it, you’re replaying the problem in a loop.

How to confirm the diagnosis

Before touching anything, take five minutes to scope it out.

First run a site:yourdomain.com search in Google. Scroll through the results: spot the Japanese URLs, note their format. That tells you how many pages are affected and what the paths look like.

Next, open Search Console. Under Coverage / Pages, look at the indexed pages curve and find the moment it takes off. That gives you the approximate date of the infection, which is valuable for the next step. If you received a security alert in Search Console (security issue, hacked content), it will often point you to example URLs.

Finally, on the server side, list the recently modified files. Over SSH:

find . -type f -name "*.php" -mtime -30 -ls

This command lists PHP files modified in the last 30 days. Cross-reference with the date you found in Search Console. Any file modified around that period that you didn’t touch yourself is suspect.

How to clean it, step by step

Order matters. If you clean the files before cutting off the scheduled task, the spam regenerates while you work.

  1. Back up the whole site first, files and database. Even infected. You want to be able to roll back if a deletion breaks something.

  2. List and delete the malicious scheduled tasks. With WP-CLI:

    wp cron event list

    Spot the events with unknown or random names, then delete them with wp cron event delete <hook>. This is the step that keeps the spam from coming back.

  3. Delete the injected files you found during the diagnosis step, along with the fake XML sitemaps at the root. For legitimate files that are infected (code grafted on top), don’t delete the file: remove only the malicious block, or better, replace the file with its original version.

  4. Clean the database. Check wp_options and look for options with suspicious content. Delete the injected entries. If you’re not sure, only remove what is clearly foreign to WordPress and your plugins.

  5. Delete the attacker’s admin account. Under Users, spot any administrator you don’t recognize and delete it. Also change the password on your real admin account.

  6. Reinstall the WordPress core in the exact version to overwrite any modified system file you may have missed. Do the same for plugins and the theme from official sources.

  7. Request reindexing and clean up Search Console. Once the site is clean, use the Search Console URL removal tool to take down the spam pages, and submit your real sitemap. Google will gradually drop the Japanese pages over its next crawls.

FAQ

Why do I see nothing in my WordPress admin? Because the hack uses cloaking: the Japanese pages are served only to search engines. As a logged-in visitor, you see your normal site. The only way to see the problem is to look at what Google indexes, via site:yourdomain.com or Search Console.

The spam pages come back after cleaning, why? You deleted the files but not the wp-cron scheduled task that regenerates them, or there’s a hidden backdoor file still reinjecting the code. List the cron events, delete the unknown ones, and look for any PHP file modified recently outside your usual folders.

Will Google penalize my site? As long as the hacked content is indexed, yes, your site may show a security warning and lose visibility. Once it’s clean, you have to request a review. That’s exactly the topic of removing the Google warning.

If you’d rather delegate

Cleaning a Japanese keyword hack by hand takes comfort with SSH, the database, and WP-CLI. If you’d rather not touch it, or if the spam has already come back once, look at the full guide for when WordPress is hacked, or let us handle it. WP-Detox scans your site for free, makes a backup before any action, and clears the infection in about thirty minutes on average. All-in at €149, refunded if we can’t get you back on your feet.

Read next