How to Remove the Japanese Keyword Hack from Your Website and Recover SEO

Key Takeaways

• Manual malware removal requires deleting hidden scripts from core files, but a single mistake can break your site or miss hidden backdoors entirely.
• Security plugins are safer than manual editing but drain server resources and cannot help if the hack locks you out of your wp-admin dashboard.
• Automate the entire cleanup at the server level with Cloudways Malware Protection to instantly remove threats for just $4/month per application.

A Japanese keyword hack replaces your search engine listings with foreign spam text. As a result of this, your organic traffic drops because users see gibberish instead of your actual content, and Google starts ranking you for spam keywords instead of your real business terms.

Handling a Japanese keyword hack is a critical part of your overall website security strategy. To fix it permanently and restore your traffic, you must find out exactly how the attackers bypassed your defenses and where they hid their malicious code.

In this guide, we explain how this hack works and give you two ways to fix it: a step-by-step manual cleanup, and an automated removal process using Cloudways Malware Protection.

What is the Japanese Keyword Hack?

The Japanese keyword hack is a targeted Black Hat SEO spam technique. Hackers find a vulnerability in your WordPress site and use it to automatically generate thousands of hidden pages. These pages are filled with Japanese text and affiliate links.

The motive behind this attack is purely financial. Attackers want to hijack your domain’s established reputation with search engines. They use your site authority to rank their own spam pages and sell counterfeit goods, such as fake designer bags or watches, in overseas search markets.

Unlike a WordPress redirect hack that immediately sends your human visitors to a spam site, the Japanese keyword hack uses cloaking to hide from you while targeting search engines.

If you visit your homepage normally, everything looks fine. But when Google visits, its bots see the injected spam pages. This makes the infection incredibly difficult to spot until the damage to your search rankings is already done.

Fix the Japanese Keyword Hack Automatically

Manual cleanup often misses the hidden backdoors that cause this hack to regenerate. Cloudways Malware Protection scans your server to find and remove these malicious scripts automatically.

Get Protected

How Does the Japanese Keyword Hack Infect Your Website?

Attackers do not usually target your specific business manually. They use automated bots to scan the web for known weaknesses in website infrastructure. Once they find a gap, they inject their spam scripts. Here are the most common entry points.

Outdated Plugins and Themes

Developers release updates to patch discovered security holes. If you leave plugins or themes running on older versions, those unpatched vulnerabilities act as an open door. Bots easily exploit these known flaws to gain backend access to your WordPress installation.

Weak Credentials

Your wp-admin login page is a primary target. Hackers deploy brute-force attacks using scripts to guess thousands of username and password combinations in minutes. Without strong passwords and proper rate limiting, they will eventually break in and gain administrative control.

Incorrect File Permissions

Your server file permissions dictate who can read, write, or execute data. If your permissions are too loose, malicious scripts have the freedom to write new files directly into your server directories. This is exactly how the hidden Japanese spam pages are generated and stored on your site.

Common Signs of Japanese Keyword Hack

Since the Japanese keyword hack relies on cloaking, your website might look completely normal to you and your human visitors. You have to look at the specific signals search engines use to spot the problem.

Google Search Results

The easiest way to check for an infection is by running a manual site search. Go to Google and type site:yourdomain.com into the search bar. Look through the indexed pages. If you see Japanese characters in the titles or meta descriptions, your site is compromised.

Source: support.google.com

Detecting Cloaking

Hackers use cloaking to hide the spam from site owners. To see exactly what Google sees, log into your Google Search Console. Run a suspicious URL through the URL Inspection Tool and view the crawled page. If the rendered HTML shows spam instead of your actual content, you have uncovered the hidden infection.

Rogue Google Search Console Users

Hackers want to force Google to index their new spam pages quickly. To do this, they often verify their own accounts as property owners in your Google Search Console. Check your user and permission settings and look for any unrecognized Gmail accounts added as “Owners.”

Modified Sitemaps

Your sitemap is a roadmap for search engines. Attackers will modify your existing sitemap.xml file or generate new ones entirely to include thousands of their spam links. If you notice unfamiliar URLs in your sitemap, you need to scan your website for malware immediately.

How to Find and Remove the Hack Manually

Cleaning an infected server by hand is highly technical and carries significant risk. You have to locate and delete the malicious code without breaking your core application.

Manual WordPress malware removal requires extreme caution. Deleting the wrong line of code will break your site entirely.

Step 1: Take a Full Backup

Never edit server files without saving a backup first. If you delete a critical core file by accident, your site will crash. Before you touch any code, you need to save a copy of everything.

• Download your files: Download a free FTP program like FileZilla. Enter your server IP address, username, and password to connect. Find your public_html folder (your root web directory) and drag the entire folder to your local computer.

• Export your database: Log into your hosting control panel, open phpMyAdmin, select your WordPress database, and click the Export tab to download a copy.

• For Cloudways Users: You can skip the manual FTP and database steps. Simply log into your account, go to Application Management, select your infected website, click Backup And Restore, and hit the “Take Backup Now” button.

Step 2: Remove Rogue GSC Owners

You need to stop the attacker from forcing Google to index their spam. If you don’t do this now, they’ll just submit new spam sitemaps tomorrow and you’ll be back where you started.

• Log into Google Search Console and select your property.
• Click Settings at the bottom left, then choose Users and permissions.

• Look at the list of owners. If you see an email address you do not recognize, click the three dots next to their name and select Remove access.

• Watch for a warning notification. Google will warn you if the user might regain access using an existing ownership token.
• Find the specific token. You can click “Unused ownership tokens” on the Users and permissions page to see exactly what the hacker used to verify their account.

• Delete the token from your site. If it is an HTML file, use FileZilla to find that exact file name in your root directory and delete it. If it is an HTML tag, remove it from your theme’s header code.

Step 3: Check the .htaccess File

The .htaccess file controls how your server handles incoming traffic. Hackers modify this file so it shows spam content specifically to search engine bots while displaying your normal site to regular visitors.

• Open FileZilla and connect to your server.
• Locate the .htaccess file in your root folder and download it so you can edit it.

• Look for blocks of code designed to intercept search engines. You will typically see HTTP_USER_AGENT listed right next to googlebot, bingbot, or yandex.
• Right below that condition, you will spot a RewriteRule that redirects the bot traffic to a foreign domain, just like the .jp link shown in the screenshot below.

• Delete that entire block of malicious code. Save the file and upload it back to the server to restore your default WordPress routing rules.

Step 4: Hunt for Rogue PHP Files

Attackers conceal their spam generating scripts across your server directories. They intentionally use unassuming file names, like wp-options.php, to blend in with legitimate core files and avoid detection.

You must manually inspect these directories to locate and remove them.

• Use FileZilla to navigate to your wp-content/uploads directory. As shown in the screenshot below, this folder is designed exclusively for image and media storage. If you spot a standalone PHP file resting among your date folders, it is highly suspicious.

• Right click and view the contents of any out of place file. Malicious scripts are almost always obfuscated to hide their true purpose from security scanners.
• As you can see in the screenshot below, if the file contains broken up function names or long blocks of unreadable, scrambled text, delete it immediately.

• Repeat the same kind of inspection we just did in your wp-includes directory as well. Scan for files with names that mimic core system files but look slightly off, such as index-config.php or wp-options.php.

Step 5: Clean Your Sitemap

Once the malicious files have been removed, you need to clear out the spam links left behind for search engines. If you leave these in place, Google will continue trying to crawl the dead spam pages.

• If you rely on a static sitemap.xml file, open it via FileZilla. As shown in the screenshot below, you will see obvious foreign characters or strange product URLs mixed in with your normal site pages. Manually delete those specific <url> blocks and save the file.

• If you use an SEO plugin like Yoast or RankMath, the process is much easier. Simply navigate to the plugin settings, toggle the XML sitemap feature off, save your changes, and turn it back on. This forces the plugin to build a fresh, clean sitemap automatically.

The Hidden Dangers of Manual Cleanup

Even if you follow all the steps we just covered to manually remove the hack, there still might be hidden threats left behind on your server.

Your site might look clean for a brief moment. But trying to clear out a complex attack manually comes with significant risks that usually lead to failure.

Breaking Your Live Website

You are essentially performing surgery on your server. Deleting the wrong PHP script or making a single typo in your .htaccess file will instantly crash your application. One mistake takes your site offline entirely, adding downtime to your existing SEO problems.

The Backdoor Loop

When attackers initially compromised your site, they did not just drop the spam pages. They also hid a heavily scrambled script called a backdoor deep inside an obscure directory. This secret entrance lets them get back in without needing a password.

If you clean the visible infection and log out, that hidden backdoor script quietly executes in the background. It instantly regenerates the malicious routing rules and creates thousands of new Japanese spam pages all over again.

A Better Approach

If you do not find and destroy every single backdoor, the infection will keep coming back. Finding these scripts manually is nearly impossible because they are designed to look like legitimate WordPress code.

Instead of risking your uptime and wasting hours digging through files, you can automate the entire cleanup process using the Cloudways Malware Protection add-on.

The Automated Solution: Cloudways Malware Protection Add-on

Finding hidden scripts across your server directories takes time and technical skill. To simplify this process, we built the Malware Protection add on directly into the Cloudways platform.

Powered by Imunify360, this tool scans at the OS level. Because it operates this deep, it hardens your overall server security rather than just checking standard WordPress folders. It finds and removes the root cause from the server side, so you do not even need access to your WordPress dashboard to clear the infection.

Here is how the add on automatically resolves the Japanese keyword hack:

• Automated Backdoor Cleanup: Instead of you guessing which PHP file in your uploads folder is fake, the system scans your entire server environment. It automatically locates obfuscated scripts and cleans the infected code while keeping your legitimate site files perfectly intact.
• Deep Database Protection: The Japanese keyword hack often hides inside database tables or sets up malicious cron jobs to regenerate the spam. Our scanner digs directly into your database to wipe out these hidden triggers.
• Active Threat Blocking: This add-on uses runtime application self-protection (RASP) to automatically isolate and remove the hidden backdoors before they can execute. It stops malicious scripts from rewriting your .htaccess file or generating new spam links in real time.

How to Enable the Automated Cleanup

Activating the add on takes just a few clicks. The initial scan runs entirely in the background so it will not impact your website performance.

Step 1: Head to Application Security

Log into your Cloudways platform and select your target application. From the left hand management menu, click on Application Security.

Step 2: Turn On Malware Protection Add-on

Select the Malware Protection tab and click the Enable Protection button. This instantly turns on real time monitoring and triggers a comprehensive, automated scan across your web directories and your database to hunt down the spam generators.

Step 3: Check the Scan Results

Once the add on is active, you can monitor the cleanup process through three simple tabs:

• Malicious: This lists the isolated threats. It shows the exact file path where the backdoor was found and confirms if it was Cleaned, Quarantined, or Removed.
• Scan History: Review a complete log of all past automated scans or click “Start Scan” to trigger an immediate check.
• Proactive Defense: This is your runtime protection log. It details any events where malicious PHP scripts were blocked from executing.

How to Rebuild Your SEO and Prevent Reinfection

Once your server is entirely free of malware and backdoors, your job is still not quite done. You need to fix the damage done to your search rankings and lock your doors so the attackers cannot return.

Force Google to Recrawl Your Site

If you do nothing, the Japanese characters will remain in your search results for weeks until Google naturally recrawls your domain. You need to speed this process up.

Go to Google Search Console and enter your homepage and top ranking URLs into the URL Inspection tool at the top of the dashboard. Click “Request Indexing.” This forces Googlebot to visit your clean site and drop the spam pages from the search index.

Patch Your Vulnerabilities

To ensure a permanent fix, you must address the original vulnerability that granted attackers access. Start by removing any inactive themes or plugins residing on your server, as unused software serves as a major security liability.

Next, you must perform a full update of your WordPress core, all active plugins, and your theme.

If you are concerned that running a major update might break your site layout, you can automate the entire process using Cloudways SafeUpdates.

SafeUpdates takes a backup, tests the updates in the background to ensure your site looks exactly the same, and then applies them to your live application. It keeps your software current and closes the vulnerabilities that bots exploit without requiring you to manually check every plugin.

Block Automated Bots with a WAF

The Japanese keyword hack is spread by automated bots constantly scanning the internet for outdated plugins and weak passwords. The most effective way to prevent reinfection is to block these malicious bots from ever reaching your WordPress environment.

Activating Cloudflare Enterprise on your Cloudways account adds a Web Application Firewall (WAF) to your site. Using a WAF stops the bots before they hit your server. If you aren’t sure how this works, read our guide on WAF vs. firewall differences to see how edge protection keeps your application safe.

Wrapping Up!

The Japanese keyword hack directly targets your search rankings to promote counterfeit goods, illegal gambling, and other spam industries. While you can attempt to clean the infection by hand, manual file hunting is dangerous and often ineffective due to hidden backdoors. If you miss a single malicious script, the spam will regenerate.

Manually digging through server files to find these hidden scripts takes hours and puts your live site at risk.

Instead of guessing which files to delete, you can use Cloudways Malware Protection to handle the entire cleanup. It locates and removes the backdoors automatically, securing your server so you can get back to recovering your search rankings.