The Japanese SEO spam hack (also called the Japanese keyword hack) injects thousands of auto-generated Japanese-language pages into your WordPress site. The attacker monetizes them by routing search clicks to counterfeit-goods stores.

You usually find out one of three ways: a customer mentions your site has Japanese pages, your Search Console shows hundreds of new URLs you didn’t create, or your organic traffic suddenly drops because Google has slapped a manual action on you.

The fix in five lines:

  1. Search site:yourdomain.com 激安 in Google to confirm.
  2. Find the auto-generated pages in your wp_posts table and the new URLs in Search Console’s Coverage report.
  3. Remove the loader from wp_options, mu-plugins, theme files, and any added admin user.
  4. Return all spam URLs as 410 Gone so Google deindexes them.
  5. Submit a reconsideration request in Search Console once the SERP is clean.

This guide walks through every step, including the Search Console workflow most cleanup guides skip.

Table of Contents

  1. What is the Japanese SEO spam hack?
  2. How it differs from the pharma hack
  3. How to confirm you have it
  4. Where the malware hides
  5. Step-by-step removal protocol
  6. Cleaning Google’s index of the spam URLs
  7. How to prevent reinfection
  8. FAQ

1. What is the Japanese SEO Spam Hack?

The Japanese SEO spam hack is a black-hat SEO infection that turns your WordPress site into a doorway for counterfeit-goods sales, usually fake Louis Vuitton, Rolex, Gucci, Nike, or Supreme, targeting Japanese-speaking buyers.

The attacker doesn’t sell anything from your domain. Instead, they:

  1. Auto-generate thousands of Japanese-language pages on your site, often in randomly-named subdirectories like /wp-content/cache/, /news/2025/12/, or /products/dx7g3h/.
  2. Submit those pages to Google’s index, often by injecting your sitemap.
  3. Verify themselves as a Search Console property owner via a hidden HTML file or DNS record.
  4. Use Search Console to push Google to index even more URLs.
  5. Route clicks to counterfeit-goods storefronts via cloaked redirects, paid by the storefront owner per click.

The signature symptom: Google search results showing Japanese characters mixed with your domain name. Typical examples:

yourdomain.com/news/12/super-copy → 激安 ロレックス スーパーコピー 通販
yourdomain.com/cache/dx7gh3 → ルイヴィトン コピー 激安 偽物
yourdomain.com/p/sneakers-2024 → ナイキ エアジョーダン 偽物 通販

The Japanese keywords most often targeted:

If any of these appear in Google search results paired with your domain, you have the Japanese SEO spam hack.

2. How Japanese SEO Spam Differs From the Pharma Hack

The two are cousins, both are black-hat SEO infections but the operational details matter for cleanup.

Aspect Japanese SEO spam Pharma hack
Target keyword type Counterfeit luxury goods (Japanese) Prescription drugs (English)
Method Creates new URLs / pages Injects spam into existing pages
Cloaking Often serves spam to all visitors on spam URLs Serves spam to Googlebot, clean to humans
Search Console signal Hundreds of new URLs in Coverage; often a hijacked Search Console property owner “User-generated spam” or “thin content” manual action
Sitemap impact Spam URLs injected into your XML sitemap Sitemap usually untouched
Cleanup difference Must serve 410 Gone for thousands of URLs Mostly removing injected content from existing pages

The Japanese spam variant is harder to clean because of the sheer URL count — typical infections add 500 to 50,000 fake pages to your site. You can’t 404 them one by one; you need an efficient pattern-based response.

3. How to Confirm Your Site Has the Japanese SEO Spam Hack

Check 1 — Direct Google search

In Google, run:

site:yourdomain.com 激安
site:yourdomain.com コピー
site:yourdomain.com スーパーコピー
site:yourdomain.com 偽物

If you don’t read Japanese, also try the romaji:

site:yourdomain.com gekiyasu
site:yourdomain.com supa kopi

Even one Japanese-language result on your domain is confirmation. Sites are typically infected with hundreds to thousands of these pages, so the actual count is usually much higher than the few that appear on the first SERP.

Check 2 — Search Console — Coverage / Pages report

  1. Open Google Search Console for your property.
  2. Go to Indexing → Pages.
  3. Click into Indexed and look at the URL list.

If you see URLs you don’t recognize — especially under random directories or with parameters you never use — those are the spam pages. A normal small business site has 20–500 indexed URLs. A Japanese-spam-infected site frequently has 5,000+ indexed URLs out of nowhere.

Check 3 — Search Console — manual actions

Go to Security & Manual Actions → Manual actions. Common notices for Japanese-spam-infected sites:

Check 4 — Search Console — verified owners

Go to Settings → Users and permissions → Verified owners. The Japanese SEO spam attacker often verifies themselves as a property owner so they can submit sitemaps and request indexing on your behalf. If you see a verified owner you don’t recognize — usually a Gmail address — that’s the attacker.

This is one of the most-missed parts of the cleanup. Even after you remove the malware from your server, the attacker still has Search Console access and will reinject the spam.

Check 5 — Sitemap inspection

Visit https://yourdomain.com/sitemap.xml (or /sitemap_index.xml) directly. Look for URLs you didn’t create. The Japanese SEO spam family commonly:

Check 6 — Database scan

-- Posts containing Japanese characters that you didn't write
-- (CJK Unified Ideographs range U+4E00 to U+9FFF)
SELECT ID, post_title, post_status, post_date, post_type
FROM wp_posts
WHERE post_title REGEXP '[一-龯]'
   OR post_content REGEXP '[一-龯]'
   OR post_name REGEXP '[一-龯]'
ORDER BY post_date DESC
LIMIT 100;

If you don’t run a Japanese-language site, every result here is malicious.

4. Where the Japanese SEO Spam Malware Hides

Like the pharma hack, the Japanese SEO spam family uses redundant persistence. Cleaning only the visible symptoms guarantees reinfection.

Location 1: Spam pages in wp_posts

The most visible component. Auto-generated post_type='post' or 'page' records, often with post_status='publish' and post_date clustered within a single hour. Frequently the post_author is a hidden admin user the attacker created.

Location 2: Auto-generated PHP files

# PHP files in /wp-content/uploads/, cache directories, or unusual locations
find /var/www/yoursite/wp-content/uploads/ -name "*.php"
find /var/www/yoursite/ -name "sitemap*.xml" -newer /var/www/yoursite/wp-config.php
find /var/www/yoursite/ -name "*.php" -newer /var/www/yoursite/wp-config.php \
  | grep -vE "(wp-includes|wp-admin|themes/[a-z]|plugins/[a-z])/"

Common drops include wp-content/uploads/cache/spam.php, news/index.php, wp-content/cache/sitemap.xml, and wp-content/uploads/.spam/.

Location 3: .htaccess rewrite rules

The Japanese SEO spam often pairs the new URLs with rewrite rules that route them through a single PHP generator:

# Injected at top of .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^news/.*$ /wp-content/uploads/cache/sp.php [L]
RewriteRule ^p/.*\.html$ /wp-content/uploads/cache/sp.php [L]
RewriteRule ^cache/.*$ /wp-content/uploads/cache/sp.php [L]
</IfModule>

Anything routing whole URL patterns to a single file in /wp-content/ is malicious.

Location 4: Hidden admin user

SELECT u.ID, u.user_login, u.user_email, u.user_registered
FROM wp_users u
INNER JOIN wp_usermeta m ON u.ID = m.user_id
WHERE m.meta_key = 'wp_capabilities'
  AND m.meta_value LIKE '%administrator%'
ORDER BY u.user_registered DESC;

Look for accounts created within the same week the spam appeared. The author of the spam posts in wp_posts is usually this user.

Location 5: Verified Search Console owner

Already covered in Check 4. The attacker verifies via either:

Search both your webroot for any google*.html files you don’t recognize, and your DNS for unfamiliar TXT records starting with google-site-verification=.

Location 6: mu-plugins loader

ls -la /var/www/yoursite/wp-content/mu-plugins/

Most installs have nothing here by default. Anything you don’t recognize is suspicious.

Location 7: Encoded payload in wp_options

SELECT option_name, LENGTH(option_value) AS size FROM wp_options
WHERE LENGTH(option_value) > 5000
  AND (option_value LIKE '%base64_decode%'
    OR option_value LIKE '%eval(%'
    OR option_value LIKE '%str_rot13%')
ORDER BY size DESC LIMIT 20;

Location 8: Sitemap injection

Look at every sitemap URL listed at /robots.txt and the root XML sitemap. Any sitemap pointing to /wp-content/cache/, /news/, or directories you don’t use is malicious.

5. tep-by-step Removal Protocol

These steps run in order. Skipping or reordering causes reinfection.

Step 0 — Backup the infected state for forensics

tar -czf infected-files-$(date +%Y%m%d-%H%M).tar.gz /var/www/yoursite/
mysqldump -u root -p yoursite_db > infected-db-$(date +%Y%m%d-%H%M).sql

Mark clearly as infected. Don’t restore from it later.

Step 1 — Maintenance mode

wp maintenance-mode activate

Step 2 — Revoke the attacker’s Search Console access first

Before doing anything to your server, sign in to Google Search Console, go to Settings → Users and permissions → Verified owners, and remove the unauthorized owner. Then:

If you skip this step, the attacker can re-submit your sitemap and reindex spam URLs even after you’ve cleaned the server.

Step 3 — Replace WordPress core, themes, plugins

cp wp-config.php /tmp/wp-config.php.safe
cp -r wp-content/uploads /tmp/uploads.safe

wp core download --force --skip-content
wp plugin list --field=name | xargs -I {} wp plugin install {} --force
wp theme list --field=name | xargs -I {} wp theme install {} --force

# Delete every nulled or pirated plugin/theme

Step 4 — Empty the mu-plugins directory

rm -rf /var/www/yoursite/wp-content/mu-plugins/
mkdir /var/www/yoursite/wp-content/mu-plugins/

Step 5 — Clean .htaccess

Replace with the WordPress default block. Check for any RewriteRule lines pointing to /wp-content/ or directories you don’t use.

Step 6 — Delete the spam pages from wp_posts

This is the high-volume part. Don’t delete posts containing Japanese characters one by one — write a single SQL query that captures the spam pattern:

-- Identify what to delete first (always run a SELECT before a DELETE)
SELECT ID, post_title, post_date, post_type
FROM wp_posts
WHERE (post_title REGEXP '[一-龯]' OR post_content REGEXP '[一-龯]')
  AND post_author IN (SELECT ID FROM wp_users WHERE user_login IN ('the_rogue_admin'))
LIMIT 200;

-- Once you've reviewed and confirmed, delete:
DELETE p, pm
FROM wp_posts p
LEFT JOIN wp_postmeta pm ON pm.post_id = p.ID
WHERE (p.post_title REGEXP '[一-龯]' OR p.post_content REGEXP '[一-龯]')
  AND p.post_author IN (SELECT ID FROM wp_users WHERE user_login IN ('the_rogue_admin'));

Replace 'the_rogue_admin' with the actual hidden admin’s user_login. If the spam was attributed to the legitimate admin (rare but possible), use a date filter instead:

DELETE p, pm FROM wp_posts p
LEFT JOIN wp_postmeta pm ON pm.post_id = p.ID
WHERE (p.post_title REGEXP '[一-龯]' OR p.post_content REGEXP '[一-龯]')
  AND p.post_date >= '2025-12-01'  -- adjust to when the spam appeared
  AND p.post_status IN ('publish', 'draft', 'private');

After the delete, run:

-- Clean orphaned terms and term_relationships
DELETE FROM wp_term_relationships
WHERE object_id NOT IN (SELECT ID FROM wp_posts);

Step 7 — Remove unauthorized admins

DELETE FROM wp_users WHERE ID = <rogue_id>;
DELETE FROM wp_usermeta WHERE user_id = <rogue_id>;

Step 8 — Clean wp_options

SELECT option_name, LENGTH(option_value) AS size
FROM wp_options
WHERE LENGTH(option_value) > 50000
   OR option_value LIKE '%base64_decode%'
   OR option_value LIKE '%eval(%'
ORDER BY size DESC;

Review and delete suspicious entries.

Step 9 — Delete the spam files in /wp-content/

# Files added since the infection began (adjust date)
find /var/www/yoursite/wp-content/ -newer /tmp/known-clean-marker -type f \
  -not -path "*/uploads/[0-9][0-9][0-9][0-9]/*"

/wp-content/uploads/[year]/[month]/ should contain only your media uploads. Anything else in /wp-content/ outside of plugin and theme directories deserves scrutiny.

Step 10 — Return 410 Gone for spam URLs (so Google deindexes them)

This is the step most cleanup guides skip and it is what makes the difference between a 7-day SEO recovery and a 6-month one.

For a manageable list of spam URLs (under 500), add specific 410 rules to .htaccess:

# Force 410 Gone for known spam patterns
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^news/.* - [G,L]
RewriteRule ^p/.* - [G,L]
RewriteRule ^cache/.* - [G,L]
</IfModule>

For larger spam URL counts, route everything matching the spam pattern through a 410 generator:

# Send 410 for any URL that looks like the spam pattern
RewriteCond %{REQUEST_URI} (激安|コピー|偽物|スーパーコピー)
RewriteRule .* - [G,L]

Make sure every spam URL returns HTTP 410 Gone, not 404 — Google deindexes 410 about 30% faster than 404.

Verify with curl:

curl -I https://yourdomain.com/news/spam-page-slug
# Should show: HTTP/1.1 410 Gone

Step 11 — Generate a clean sitemap

# If you use Yoast or RankMath, they regenerate automatically.
# Otherwise:
wp sitemap generate

Submit the new sitemap in Search Console (Indexing → Sitemaps).

Step 12 — Rotate every credential

Same as the pharma and redirect hack guides — WordPress passwords, database password, SFTP/SSH, hosting control panel, and wp-config.php salts. Use:

wp user list --field=ID | xargs -I {} wp user reset-password {}
curl https://api.wordpress.org/secret-key/1.1/salt/

Step 13 — Verify the cleanup

# Should return zero
grep -rEln "eval\s*\(|base64_decode|str_rot13" /var/www/yoursite/ \
  | grep -vE "(wp-includes|vendor|node_modules)/"
find /var/www/yoursite/wp-content/uploads/ -name "*.php"

# Verify spam URLs return 410
for url in /news/test /p/test /cache/test; do
  echo "$url: $(curl -s -o /dev/null -w '%{http_code}' https://yourdomain.com$url)"
done

Step 14 — Remove maintenance mode

wp maintenance-mode deactivate

6. Cleaning Google’s Index of the Spam URLs

Removing the malware doesn’t remove the spam from Google. You have to push Google to recrawl and deindex.

Step 1 — Submit the new clean sitemap

Already done in Step 11 above. This tells Google what the real URL set is.

Step 2 — Use the URL Removals tool for top spam URLs

In Search Console, go to Indexing → Removals → New request. For each highest-impact spam URL (your top 10–50), submit a temporary removal. This hides the URL from Google’s results immediately while the 410 propagates.

Step 3 — Submit a reconsideration request (if you have a manual action)

Go to Security & Manual Actions → Manual actions → Request review. In the request, describe:

Reviews take 7–14 days for Japanese SEO spam, longer than for pharma because of the URL volume Google has to recrawl.

Step 4 — Track recovery

In Search Console Performance report, watch:

For sites with 10,000+ spam URLs indexed, full recovery can take 3–6 months.

7. How to Prevent Reinfection

Japanese SEO spam infections recur in roughly 50% of sites within 30 days of cleanup if prevention isn’t in place. The recurring failure modes:

1. The original entry point wasn’t closed

Same as every WordPress hack: if the vulnerable plugin or theme remained, attackers re-enter and rebuild. Audit:

2. The Search Console verified-owner foothold remained

If you didn’t revoke the attacker’s verified ownership in Search Console, they can re-submit a sitemap and reindex spam without ever touching your server. This is the reinfection vector that surprises most cleanup teams.

3. The 410 responses weren’t actually 410

Sometimes a host or CDN config converts 410 into a soft 200 with empty content. Google never deindexes those. Always verify with curl -I.

4. No virtual patching for the next zero-day

Same problem as every other WordPress malware family. Virtual patching at the WAF blocks exploitation before the official plugin patch arrives.

A Prevention Checklist

GuardianGaze’s server-side scanning catches the database-resident half of Japanese SEO spam that file-based plugins miss, and its WAF blocks the most common exploitation patterns before they reach WordPress. Get the free plugin to start, or see paid plans for virtual patching.

8. Frequently Asked Questions

Why is my WordPress site showing Japanese characters in Google search results?

Your site has the Japanese SEO spam hack — attackers have created auto-generated Japanese-language pages on your domain to monetize counterfeit-goods traffic. Visit any spam URL directly and you’ll see the page content; in your WordPress admin you’ll find new posts you didn’t create.

Will deleting the spam pages remove them from Google?

Eventually, but slowly. Deletion produces 404s, which Google deindexes after multiple recrawls (often 4–8 weeks). Returning 410 Gone instead deindexes about 30% faster. Combined with the Search Console URL Removals tool for top URLs, you can clear the most damaging URLs from search results within a week.

Why do I see new Japanese pages even after cleaning my server?

Two common reasons. First: the attacker is still verified as a Search Console owner and is re-submitting sitemaps. Revoke that access immediately. Second: a database loader you missed is regenerating the pages every time WP-Cron runs. Check wp_options for encoded payloads and review every scheduled cron event.

Can a security plugin detect Japanese SEO spam?

Most plugins detect the file-resident parts (the rewrite rules in .htaccess, the PHP generator file in /wp-content/uploads/) but miss the database half — the auto-generated posts in wp_posts, the loader in wp_options, and the hidden admin user. Plugins running inside the WordPress PHP process can also be tampered with by sophisticated variants of this malware. Server-side scanning that runs outside WordPress is more reliable.

How did the Japanese SEO spam get on my site?

The most common 2024–2026 entry vectors: an outdated page-builder plugin or add-on (40%), an outdated form plugin (20%), a nulled or pirated premium plugin/theme (20%), a brute-forced admin password (10%), and shared-hosting cross-contamination (10%).

Why does the Japanese SEO spam target my site if I’m not in Japan?

Counterfeit-goods spam targets Japanese-speaking buyers regardless of where the host site is. Attackers prefer compromised non-Japanese sites because they have established Google trust and rank well in international SERPs. Your domain is just a doorway; the actual buyer-facing storefront is hosted elsewhere.

Should I disavow the spam URLs in Search Console?

No. Disavow is for backlinks pointing at your site. The Japanese SEO spam URLs are on your site, so they deindex when you delete them and serve 410. Don’t waste time on disavow files for this.

My site still ranks for Japanese keywords months after cleanup. Why?

Two possibilities. Either some spam URLs are still returning 200 instead of 410 (verify with curl -I for a few suspect URLs), or Google hasn’t recrawled them yet. Submit a fresh sitemap, use the URL Removals tool, and use URL Inspection → Request indexing on your most important real pages to push Google to recrawl your domain in general.

Continue Reading

Stop the next Japanese SEO spam infection at the door. GuardianGaze’s server-side scanning catches database-resident malware that ordinary plugins miss, and its WAF blocks the exploitation patterns these campaigns rely on. Install the free plugin or see paid plans.