How to Fix a Japanese Keyword Hack in WordPress

Hackers frequently target WordPress websites through a method known as the “Japanese keyword hack.” This malicious attack, also called SEO cloaking malware or Japanese SEO spam, involves injecting hidden Japanese text into your site. The goal of this attack is to promote counterfeit online stores, which can negatively impact your SEO rankings, user trust, and website performance. 

But don’t panic. This step-by-step guide will help you restore your website’s integrity and prevent future threats. 

What You Need to Know About the Japanese Keyword Hack 

The Japanese Keyword Hack is a form of SEO spam that targets vulnerable WordPress sites. Hackers inject malicious Japanese text and links into your site’s code or database—often hidden from human visitors, but fully visible to search engines. This manipulation exploits your domain’s authority to drive traffic to fraudulent e-commerce sites. 

Between May 2022 and December 2024, researchers identified 692,865 fake e-commerce sites linked to black-hat SEO campaigns, including the Japanese Keyword Hack. 

To your regular visitors, your website may appear unaffected. But search engines detect the intrusion quickly. Left unaddressed, the consequences grow: 

• SEO rankings decline as your site is penalized for hosting deceptive content. 
• User trust erodes when spam results appear under your domain in Google searches. 
• Site performance can suffer, especially if malicious scripts or large volumes of spam content are injected or external resources are loaded. 

Think of it like termites in a wall—you may not see the damage right away, but the structure weakens from within. Acting early is key to protecting your search visibility, reputation, and site integrity. 

Reasons for the Japanese Keyword Hack 

Hackers don’t choose their targets at random. Instead, they focus on specific vulnerabilities in WordPress websites—entry points that allow them to inject hidden SEO spam. The Japanese Keyword Hack often stems from the following common weaknesses: 

Outdated WordPress Core, Plugins, or Themes 

Running older versions of WordPress or third-party software can leave your site exposed. Older versions often contain well-known security vulnerabilities that hackers actively search for. Without recent updates, your site becomes a target for malicious code injections. 

Weak Administrator Credentials 

Simple or easily guessed usernames and passwords are one of the most common vulnerabilities. If an attacker successfully brute-forces your login credentials or discovers default username/password combinations, they can gain full access to your site’s backend. This allows them to inject spam or manipulate content at will. 

Directory Browsing Enabled 

When directory browsing is enabled, it provides public access to your server’s internal structure. Hackers can view your file paths and plugin directories, gaining insights into potential weaknesses they can exploit.  

Incorrect File Permissions 

Misconfigured file and folder permissions can expose sensitive files to unauthorized changes. For example, if files like wp-config.php or .htaccess have overly permissive settings, attackers can modify them to alter your site’s behavior or embed harmful SEO cloaking scripts. 

How to Spot a Japanese Keyword Hack 

Before implementing any fixes, it’s important to first determine if your website has been compromised. Look for these common indicators of a potential hack: 

Run a Security Scan 

Identifying a Japanese SEO hack on your WordPress site begins with a comprehensive security scan. Run a security scan to detect harmful files, malicious code, or suspicious activity that may have infiltrated your website. These scans provide a comprehensive analysis, targeting critical areas like plugins, themes, and core WordPress files—common hotspots for malware injection. By pinpointing the exact locations of malicious content, you can take targeted action to remove it effectively. 

Search Engine Warnings and Visibility Drops 

A sudden drop in your website’s visibility or search rankings can be a key sign of a Japanese SEO hack. This type of attack often involves hackers injecting spam content or malicious links into your site to manipulate search engine rankings. Identifying and addressing this issue promptly is crucial. Follow these steps to check if your site has been affected: 

1. Perform a “site:” Search  

• Open a search engine like Google.  
• In the search bar, type site:yourdomain.com.  
• Review the search results carefully. Look for any unusual Japanese characters, product names, or spammy links in the titles or descriptions. These anomalies typically indicate injected content that does not belong to your site.  

2. Monitor Traffic Drops 

Access your Google Search Console and Google Analytics accounts to analyze your site’s performance metrics. Look for any sudden or unexplained drops in traffic, impressions, or clicks—these may indicate a potential hack affecting your site’s visibility in search results. Focus on key performance indicators (KPIs) and prioritize monitoring high-performing pages that have experienced significant declines in engagement.  

To guide your investigation, follow these steps:  

• Log in to Google Search Console and check the “Performance” report for any irregularities.  

• Identify pages with a sharp decrease in clicks or impressions.  

• Review Google Analytics for a timeline of traffic changes and compare against historical data.  

Check for anomalies like unexpected referral sources, spikes in bounce rates, or unusual user behaviors.

File or Database Changes  

Ensuring the security and integrity of your application starts with a careful review of critical files and database tables. Follow these detailed steps to identify and address potential vulnerabilities effectively:  

Step 1: Examine Core Files  

Focus on essential files like index.php, wp-config.php, and functions.php. These files are essential to your WordPress installation. Unauthorized changes here often signal a breach. Here’s how to inspect them:  

• Check the last modified dates. If a file shows a recent change that you didn’t make, it could be a red flag.  

• Review the file content. Look for unfamiliar code, unexpected changes, or suspicious additions. Even small alterations can have a significant impact.  

Step 2: Inspect Database Tables  

Your database is another critical area to monitor, particularly tables that are common targets for malicious activity. Pay close attention to tables like wp_posts and wp_comments, as these are frequently used for spam content injection.  

• Scan for suspicious entries. Look for data that stands out, such as spam-like content, unusual links, or unauthorized entries.  

Use Google’s URL Inspection Tool to Detect Cloaking 

Cloaking is a deceptive practice often seen in Japanese SEO hacks. It occurs when the content presented to search engines is different from what users see. This tactic can make it difficult for website owners to detect unauthorized changes while still maintaining visibility in search results. 

If you suspect cloaking on your site, here’s how you can investigate: 

Watch for indicators: Unexplained 404 errors or redirected URLs in Google Search Console may suggest cloaking, but the more reliable signal is content discrepancies between what users and search engines see. 

Use the URL Inspection Tool: The “URL Inspection” tool in Google Search Console is a valuable resource. It allows you to: 

• View how Googlebot renders your page. 

• Compare the content visible to search engines with the content visible to users. 

Pay close attention to the Rendered HTML and Screenshots shown in Search Console. If you see content here that doesn’t appear on your site when browsing normally, cloaking is likely in place. 

How to Fix the Japanese Keyword Hack in WordPress 

If you’ve confirmed that your WordPress website has been hacked, it’s crucial to act quickly to remove the threat. Malware can escalate in impact the longer it stays on your site—introducing more backdoors, affecting SEO rankings, and enabling further unauthorized access. 

To address the Japanese keyword hack on your WordPress site, there are three effective methods you can use: 

1. Use website security software: These tools are designed to identify and eliminate malicious code efficiently while protecting your site from future attacks. 
2. Hire an emergency malware removal service: For immediate and professional assistance, consider hiring a specialized service. These experts will handle the removal process thoroughly and ensure your website is fully secured against further breaches. 
3. Manually clean the hack: If you have technical expertise, you can manually locate and remove the malicious code. This process involves identifying infected files, inspecting your database for unauthorized entries, and restoring clean backups. 

Option #1. [Recommended] Use SiteLock to remove the Japanese keyword hack

SiteLock website security offers a reliable, efficient solution for removing the Japanese keyword hack from your website. Using advanced real-time malware detection and automated cleanup tools, SiteLock thoroughly scans your site to identify malicious code and vulnerabilities. Here’s how it works:  

• Comprehensive Malware Scanning: SiteLock performs a detailed scan of your website’s files and database to detect any unauthorized code or suspicious activity.  
• Automated Malware Removal: Once malware is detected, SiteLock’s tools swiftly remove it, eliminating harmful code and restoring your website to a clean state.  
• Preventative Measures: By identifying vulnerabilities, SiteLock helps you secure your site against future attacks, ensuring long-term protection.  

With a user-friendly interface and 24/7 customer support, SiteLock is accessible even to small business owners and web administrators without technical expertise. Its intuitive dashboard provides clear insights into your website’s security status, while support representatives are available to guide you through any challenges.  

Best of all, it only takes a few minutes to complete setup. Once you’ve purchased a SiteLock website security subscription, all you need to do is: 

1. Set up FTP/SSH Access: After logging in, follow the Setup Wizard to configure secure FTP or SSH access. This connection allows SiteLock to perform deep scans and safely remove malware from your site files and database. 
2. Enable Scanning: Once connected, SiteLock will automatically configure scans to start monitoring your site for threats. 

Option #2. Get an immediate malware removal service to clean your website  

If your website has been compromised, it may not be possible to access your WordPress admin, or your web host might have suspended your site. SiteLock’s “Fix My Site“ service offers a reliable and efficient solution to restore its functionality and security. Fix My Site connects you with a SiteLock security expert who will start addressing the issue within an hour of purchase. Here’s what you can expect: 

• Malware Removal: A dedicated security engineer will thoroughly scan your website, identify all malicious code, and remove every trace of malware to restore your site to a safe and operational state.  
• Backdoor Detection and Removal: Backdoors, hidden access points created by attackers, will be identified and removed to prevent reinfection and unauthorized access. 
• Optional Ongoing Protection Setup: If you choose this added feature, your expert will implement advanced protective measures designed to monitor threats and prevent future attacks, keeping your website secure over time.  
• Comprehensive Security Recommendations: You’ll receive detailed guidance on steps to enhance your website’s long-term security. These may include actions like updating passwords, removing outdated plugins, and applying critical software updates. 

Option #3. Manually eliminate the Japanese keyword hack in WordPress 

Removing a hack manually from your WordPress site is a complex process that requires advanced technical knowledge. Hackers can inject malicious code across hundreds or even thousands of files that make up a WordPress site, making it challenging to identify and eliminate every threat.  

Before diving into manual removal, consider the following options: 

• Restore from Backup: If you have a recent backup of your website taken before the hack, this can be the quickest way to restore your site to a clean state. Ensure the backup includes both your WordPress files and database. 

• Rebuild Your Site in a Fresh WordPress Install: In some cases, rebuilding your website using a fresh WordPress installation may be the best option. This ensures a clean foundation and eliminates any lingering vulnerabilities. You can re-import essential content, such as posts and pages, while verifying their integrity. 

Step 1. Backup Your Website Before Fixing 

Before making any changes, create a full backup of your website files and database. This process ensures you have a complete and secure copy of your data in case unexpected issues arise during the cleanup or modifications you’re planning to implement.  

To back up your website:  

• Use a reliable backup tool or plugin, such as CodeGuard, to save a complete copy of your files and database.  

• Confirm that the backup includes all critical components, such as your website files (HTML, CSS, JavaScript) and your database (MySQL or another system, depending on your setup).  

Taking this precaution provides peace of mind and ensures that, even if something goes wrong, you can quickly restore your website to its original state without losing valuable data. 

Step 2. Reset All Passwords 

Change all access credentials immediately, including:  

• WordPress admin passwords.  

• Hosting account and FTP/SFTP passwords.  

• Database login credentials.  

Delaying this step allows attackers to reuse active backdoors. Resetting passwords, especially for admin and FTP, cuts off hacker access and secures your site before deeper cleaning.  

Step 3. Remove Unauthorized Users from WordPress and Google Search Console 

Hackers often target your WordPress and Google Search Console by adding themselves as unauthorized users, potentially gaining access to sensitive site data or even manipulating your website.  

In WordPress:  

Go to Users > All Users and look for suspicious usernames or email addresses. Delete any you don’t recognize. 

In Google Search Console: 

• Navigate to Settings → Users and Permissions to review the list of users with access to your account.  

• Revoke access for any users you don’t recognize.  

• Under Settings > Ownership Verification, delete unfamiliar verification methods or meta tags. 

Step 4. Check and Clean Recently Modified Files 

Hackers often alter files like index.php, functions.php, 404.php, or wp-config.php to inject spam or backdoors. 

1. If your host supports SSH, run: 

find /path-to-your-site -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort –r 

2. If unsupported, use this alternative (compatible with macOS): 

find /path-to-your-site -type f -exec stat --format='%y %n' {} + | sort –r 

3. If you’re using a shared host or don’t have SSH access, use your FTP client’s ‘Last Modified’ sorting feature.  

Delete or replace suspicious files with clean versions from a fresh WordPress download or a known good backup. 

Step 5. Check and Regenerate the .htaccess File 

The .htaccess file controls redirects and URL handling—and it’s often targeted by this hack. Here’s what to do: 

1: Locate Your .htaccess File  

To begin, you’ll need to access the .htaccess file in your website’s root directory. You can do this using an FTP client (such as FileZilla) or through your hosting provider’s cPanel file manager.  

• Navigate to the root directory of your website—commonly named public_html, htdocs, or /var/www/html, depending on your hosting provider. 

• If you don’t immediately see the .htaccess file, ensure that hidden files are displayed. Most FTP clients or file managers include an option to “show hidden files” under their settings or preferences menu.  

2: Examine the File for Potentially Malicious Code  

Open the .htaccess file using a text editor like Notepad++, or the built-in editor in your cPanel. Carefully review its contents for any suspicious entries.  

• Look for unfamiliar code, such as unexpected redirects, unknown IP addresses, or references to questionable domains.  

• Malicious entries often include suspicious RewriteRule or Redirect commands that silently forward traffic to spam domains. For example: 
  Redirect 301 /product http://malicious.example.com/ 
  Remove these entries carefully to avoid breaking legitimate redirects. 

Take your time to inspect the file thoroughly—this is a critical step in identifying any unauthorized changes.  

3: Remove Malicious or Unfamiliar Code  

If you find any suspicious code, carefully delete it, ensuring you do not remove legitimate directives required for your site’s normal functionality.  

• For example, WordPress sites often include standard rewrite rules in the .htaccess file, which are safe to retain.  

• After editing, save the changes to the .htaccess file.  

Reassuring Tip: If you’re unsure whether a particular line is legitimate, consider consulting your hosting provider or referencing WordPress documentation for default .htaccess rules.  

4: Regenerate the .htaccess File Through WordPress  

To ensure your .htaccess file is clean and properly configured, you can regenerate it directly from your WordPress dashboard:  

• Log in to your WordPress admin area.  

• Navigate to Settings > Permalinks from the left-hand menu.  

• Without making any changes, click the Save Changes button. This action will automatically generate a fresh .htaccess file with WordPress’s default rules, overwriting the old one.  

5: Secure Your .htaccess File  

After cleaning and regenerating the file, secure it to prevent unauthorized edits in the future:  

• Set file permissions to 644 to limit access. This ensures that the file can be read and written by the file owner but it prevents modifications by others.  

Step 6. Clean the WordPress Database 

Now that the files are cleaned, the next step is to remove remaining malware from your WordPress database. Hackers inject malicious entries to maintain access or spread harmful content.  

Use phpMyAdmin or a similar tool to access your database and check for unusual entries, unauthorized changes, or suspicious patterns. 

Key WordPress Database Tables to Review: 

• wp_posts Table: Look for and remove fake posts, especially those containing spammy content like Japanese text or links to suspicious websites. These injected posts are crafted to manipulate search rankings by embedding spammy keywords and links into your database, often using cloaked redirects or encoded payloads. 

• wp_options Table: Check for unknown or suspicious options, such as entries containing `base64_code` or other encoded data. These are often used to load malicious scripts or maintain backdoor access to your site. Malicious entries may include options that inject scripts on every page load. Common signs include strange autoload values or option names that mimic core settings.  

• wp_users Table: Verify the list of user accounts. Hackers may create fake admin accounts with unfamiliar usernames or email addresses. 

If unsure about an entry, consult online resources or your hosting provider. Be careful when making changes to avoid deleting legitimate content. 

Step 7. Update Core Files, Plugins, and Themes 

Outdated components often serve as entry points for malware. 

• Update to the latest version of WordPress 

• Remove unused or outdated plugins and themes 

• Reinstall known plugins and themes from trusted sources to replace possibly infected files 

This ensures your codebase is clean and closes known vulnerabilities. 

Step 8. Remove Hacked Pages From Google Search Results 

Once your site is clean, address your SEO reputation: 

• Utilize the Google Remove URL Tool to request the removal of spam URLs indexed due to the hack. This tool is a temporary solution. To permanently remove the URLs, clean your site and ensure the hacked pages return a 404 or 410 status. Then resubmit your sitemap to prompt reindexing.” 

• Resubmit a clean sitemap in Search Console for reindexing. 

This signals to Google that your site is now safe and should be re-crawled. 

How to Prevent Future Japanese Keyword Hacks on your WordPress Site 

Keep WordPress Plugins, Themes, and Core Files Updated 

Once your site is clean, preventing reinfection is critical. The following practices form a layered security approach that significantly reduces your site’s attack surface. 

Outdated plugins, themes, and WordPress core files are the most common entry points for malware. 

Secure Admin Access 

Weak credentials and unsecured login pages make it easy for attackers to brute-force their way into your admin panel. 

• Use Strong Passwords: Avoid using names, dictionary words, or short combinations. Consider passphrases with special characters. 

• Change the Default “admin” Username: This is the first username hackers try. 

• Enable Two-Factor Authentication (2FA): Require a second form of verification (like a mobile app or email code) on every login. 

• Limit Login Attempts: Use tools to lock users out after a certain number of failed logins. 

• Restrict Access by IP: If your IP is static, block login access for everyone else using .htaccess rules or a plugin. 

• Disable XML-RPC if not in use: This WordPress feature is often targeted for brute-force attacks and pingback abuse. Disable it with a plugin or .htaccess rule if you’re not using services like Jetpack. 

Use a Web Application Firewall (WAF) 

A Web Application Firewall acts as a gatekeeper between your site and incoming traffic. It filters malicious requests before they even reach your WordPress environment. 

• Blocks Common Threats: Includes SQL injection, cross-site scripting (XSS), remote file inclusion, and brute-force login attempts. 

• Monitors Behavior: Many WAFs analyze visitor behavior and detect anomalies such as repeated failed logins or suspicious URL patterns. 

• Virtual Patching: Some advanced WAFs can shield known plugin vulnerabilities even if you haven’t applied the update yet. 

• Update WordPress Core: New releases often contain critical security patches. Enable automatic updates or regularly check for new versions. 

• Update Plugins and Themes: Vulnerabilities in third-party components are heavily exploited. Set a weekly schedule to review and update all active and inactive add-ons. 

• Delete Unused Components: Even inactive themes and plugins can be exploited. Remove anything you don’t actively use. 

Don’t DIY Your Site’s Future Security 

Manual cleanup fixes the symptoms—but not the root cause. 

SiteLock helps over 14 million site owners prevent future attacks with: 

• Automated Daily Scans: Catch new infections before they impact users or SEO rankings. 

• Database and File Integrity Checks: Identify changes in content tables (wp_posts, wp_options) and core directories. 

• Real-Time Alerts: Get notified instantly when malware is detected. 

• Auto-Removal and Quarantine: Some tools can isolate or delete threats automatically. These features require proper server permissions and FTP/SSH access to execute automated actions. 

Get back to running your website. Let SiteLock handle the threats. 

FAQs