{"id":115,"date":"2026-05-06T11:00:05","date_gmt":"2026-05-06T11:00:05","guid":{"rendered":"https:\/\/www.guardiangaze.com\/blog\/?p=115"},"modified":"2026-05-04T10:42:11","modified_gmt":"2026-05-04T10:42:11","slug":"wordpress-japanese-seo-spam","status":"publish","type":"post","link":"https:\/\/www.guardiangaze.com\/blog\/wordpress-japanese-seo-spam\/","title":{"rendered":"WordPress Japanese SEO Spam Hack: Detection, Removal &#038; Prevention (2026)"},"content":{"rendered":"<p>The <strong>Japanese SEO spam hack<\/strong> (also called the <em>Japanese keyword hack<\/em>) injects thousands of auto-generated Japanese-language pages into your WordPress site. The attacker monetizes them by routing search clicks to counterfeit-goods stores.<\/p>\n<p>You usually find out one of three ways: a customer mentions your site has Japanese pages, your Search Console shows hundreds of new URLs you didn&#8217;t create, or your organic traffic suddenly drops because Google has slapped a manual action on you.<\/p>\n<p>The fix in five lines:<\/p>\n<ol>\n<li><strong>Search <code>site:yourdomain.com \u6fc0\u5b89<\/code><\/strong> in Google to confirm.<\/li>\n<li><strong>Find the auto-generated pages<\/strong> in your <code>wp_posts<\/code> table and the new URLs in Search Console&#8217;s Coverage report.<\/li>\n<li><strong>Remove the loader<\/strong> from <code>wp_options<\/code>, <code>mu-plugins<\/code>, theme files, and any added admin user.<\/li>\n<li><strong>Return all spam URLs as 410 Gone<\/strong> so Google deindexes them.<\/li>\n<li><strong>Submit a reconsideration request<\/strong> in Search Console once the SERP is clean.<\/li>\n<\/ol>\n<p>This guide walks through every step, including the Search Console workflow most cleanup guides skip.<\/p>\n<h2>Table of Contents<\/h2>\n<ol>\n<li>What is the Japanese SEO spam hack?<\/li>\n<li>How it differs from the pharma hack<\/li>\n<li>How to confirm you have it<\/li>\n<li>Where the malware hides<\/li>\n<li>Step-by-step removal protocol<\/li>\n<li>Cleaning Google&#8217;s index of the spam URLs<\/li>\n<li>How to prevent reinfection<\/li>\n<li>FAQ<\/li>\n<\/ol>\n<h2>1. What is the Japanese SEO Spam Hack?<\/h2>\n<p>The Japanese SEO spam hack is a black-hat SEO infection that turns your WordPress site into a doorway for counterfeit-goods sales, usually fake Louis Vuitton, Rolex, Gucci, Nike, or Supreme, targeting Japanese-speaking buyers.<\/p>\n<p>The attacker doesn&#8217;t sell anything from your domain. Instead, they:<\/p>\n<ol>\n<li>Auto-generate <strong>thousands of Japanese-language pages<\/strong> on your site, often in randomly-named subdirectories like <code>\/wp-content\/cache\/<\/code>, <code>\/news\/2025\/12\/<\/code>, or <code>\/products\/dx7g3h\/<\/code>.<\/li>\n<li>Submit those pages to Google&#8217;s index, often by injecting your sitemap.<\/li>\n<li><strong>Verify themselves<\/strong> as a Search Console property owner via a hidden HTML file or DNS record.<\/li>\n<li>Use Search Console to push Google to index even more URLs.<\/li>\n<li>Route clicks to counterfeit-goods storefronts via cloaked redirects, paid by the storefront owner per click.<\/li>\n<\/ol>\n<p>The signature symptom: Google search results showing Japanese characters mixed with your domain name. Typical examples:<\/p>\n<pre><code>yourdomain.com\/news\/12\/super-copy \u2192 \u6fc0\u5b89 \u30ed\u30ec\u30c3\u30af\u30b9 \u30b9\u30fc\u30d1\u30fc\u30b3\u30d4\u30fc \u901a\u8ca9\r\nyourdomain.com\/cache\/dx7gh3 \u2192 \u30eb\u30a4\u30f4\u30a3\u30c8\u30f3 \u30b3\u30d4\u30fc \u6fc0\u5b89 \u507d\u7269\r\nyourdomain.com\/p\/sneakers-2024 \u2192 \u30ca\u30a4\u30ad \u30a8\u30a2\u30b8\u30e7\u30fc\u30c0\u30f3 \u507d\u7269 \u901a\u8ca9\r\n<\/code><\/pre>\n<p>The Japanese keywords most often targeted:<\/p>\n<ul>\n<li><strong>\u6fc0\u5b89<\/strong> (super cheap)<\/li>\n<li><strong>\u30b3\u30d4\u30fc<\/strong> (copy \/ counterfeit)<\/li>\n<li><strong>\u507d\u7269<\/strong> (fake \/ counterfeit)<\/li>\n<li><strong>\u30b9\u30fc\u30d1\u30fc\u30b3\u30d4\u30fc<\/strong> (super copy \u2014 counterfeit luxury)<\/li>\n<li><strong>\u901a\u8ca9<\/strong> (mail order)<\/li>\n<li><strong>N\u7d1a\u54c1<\/strong> (N-grade \u2014 counterfeit grade designation)<\/li>\n<li><strong>\u30d6\u30e9\u30f3\u30c9<\/strong> (brand)<\/li>\n<li><strong>\u6642\u8a08<\/strong> (watches)<\/li>\n<\/ul>\n<p>If any of these appear in Google search results paired with your domain, you have the Japanese SEO spam hack.<\/p>\n<h2>2. How Japanese SEO Spam Differs From the Pharma Hack<\/h2>\n<p>The two are cousins, both are black-hat SEO infections but the operational details matter for cleanup.<\/p>\n<table>\n<thead>\n<tr>\n<th>Aspect<\/th>\n<th>Japanese SEO spam<\/th>\n<th><a href=\"https:\/\/www.guardiangaze.com\/blog\/wordpress-pharma-hack\/\">Pharma hack<\/a><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Target keyword type<\/strong><\/td>\n<td>Counterfeit luxury goods (Japanese)<\/td>\n<td>Prescription drugs (English)<\/td>\n<\/tr>\n<tr>\n<td><strong>Method<\/strong><\/td>\n<td>Creates new URLs \/ pages<\/td>\n<td>Injects spam into existing pages<\/td>\n<\/tr>\n<tr>\n<td><strong>Cloaking<\/strong><\/td>\n<td>Often serves spam to <em>all<\/em> visitors on spam URLs<\/td>\n<td>Serves spam to Googlebot, clean to humans<\/td>\n<\/tr>\n<tr>\n<td><strong>Search Console signal<\/strong><\/td>\n<td>Hundreds of new URLs in Coverage; often a hijacked Search Console property owner<\/td>\n<td>&#8220;User-generated spam&#8221; or &#8220;thin content&#8221; manual action<\/td>\n<\/tr>\n<tr>\n<td><strong>Sitemap impact<\/strong><\/td>\n<td>Spam URLs injected into your XML sitemap<\/td>\n<td>Sitemap usually untouched<\/td>\n<\/tr>\n<tr>\n<td><strong>Cleanup difference<\/strong><\/td>\n<td>Must serve <strong>410 Gone<\/strong> for thousands of URLs<\/td>\n<td>Mostly removing injected content from existing pages<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The Japanese spam variant is harder to clean because of the sheer URL count \u2014 typical infections add 500 to 50,000 fake pages to your site. You can&#8217;t <code>404<\/code> them one by one; you need an efficient pattern-based response.<\/p>\n<h2>3. How to Confirm Your Site Has the Japanese SEO Spam Hack<\/h2>\n<h3>Check 1 \u2014 Direct Google search<\/h3>\n<p>In Google, run:<\/p>\n<pre><code>site:yourdomain.com \u6fc0\u5b89\r\nsite:yourdomain.com \u30b3\u30d4\u30fc\r\nsite:yourdomain.com \u30b9\u30fc\u30d1\u30fc\u30b3\u30d4\u30fc\r\nsite:yourdomain.com \u507d\u7269\r\n<\/code><\/pre>\n<p>If you don&#8217;t read Japanese, also try the romaji:<\/p>\n<pre><code>site:yourdomain.com gekiyasu\r\nsite:yourdomain.com supa kopi\r\n<\/code><\/pre>\n<p>Even one Japanese-language result on your domain is confirmation. Sites are typically infected with hundreds to thousands of these pages, so the actual count is usually much higher than the few that appear on the first SERP.<\/p>\n<h3>Check 2 \u2014 Search Console \u2014 Coverage \/ Pages report<\/h3>\n<ol>\n<li>Open Google Search Console for your property.<\/li>\n<li>Go to <em>Indexing \u2192 Pages<\/em>.<\/li>\n<li>Click into <em>Indexed<\/em> and look at the URL list.<\/li>\n<\/ol>\n<p>If you see URLs you don&#8217;t recognize \u2014 especially under random directories or with parameters you never use \u2014 those are the spam pages. A normal small business site has 20\u2013500 indexed URLs. A Japanese-spam-infected site frequently has 5,000+ indexed URLs out of nowhere.<\/p>\n<h3>Check 3 \u2014 Search Console \u2014 manual actions<\/h3>\n<p>Go to <em>Security &amp; Manual Actions \u2192 Manual actions<\/em>. Common notices for Japanese-spam-infected sites:<\/p>\n<ul>\n<li><strong>User-generated spam<\/strong><\/li>\n<li><strong>Hacked: spam<\/strong><\/li>\n<li><strong>Pure spam<\/strong><\/li>\n<li><strong>Cloaking and\/or sneaky redirects<\/strong><\/li>\n<\/ul>\n<h3>Check 4 \u2014 Search Console \u2014 verified owners<\/h3>\n<p>Go to <em>Settings \u2192 Users and permissions \u2192 Verified owners<\/em>. The Japanese SEO spam attacker often verifies themselves as a property owner so they can submit sitemaps and request indexing on your behalf. If you see a verified owner you don&#8217;t recognize \u2014 usually a Gmail address \u2014 that&#8217;s the attacker.<\/p>\n<p>This is one of the most-missed parts of the cleanup. Even after you remove the malware from your server, the attacker still has Search Console access and will reinject the spam.<\/p>\n<h3>Check 5 \u2014 Sitemap inspection<\/h3>\n<p>Visit <code>https:\/\/yourdomain.com\/sitemap.xml<\/code> (or <code>\/sitemap_index.xml<\/code>) directly. Look for URLs you didn&#8217;t create. The Japanese SEO spam family commonly:<\/p>\n<ul>\n<li>Adds a separate sitemap like <code>\/sitemap_japan.xml<\/code> or <code>\/wp-content\/cache\/sitemap.xml<\/code>.<\/li>\n<li>Modifies your existing sitemap to include spam URLs.<\/li>\n<li>Submits its own sitemap directly through the verified-owner Search Console foothold.<\/li>\n<\/ul>\n<h3>Check 6 \u2014 Database scan<\/h3>\n<pre><code class=\"language-sql\">-- Posts containing Japanese characters that you didn't write\r\n-- (CJK Unified Ideographs range U+4E00 to U+9FFF)\r\nSELECT ID, post_title, post_status, post_date, post_type\r\nFROM wp_posts\r\nWHERE post_title REGEXP '[\u4e00-\u9faf]'\r\n   OR post_content REGEXP '[\u4e00-\u9faf]'\r\n   OR post_name REGEXP '[\u4e00-\u9faf]'\r\nORDER BY post_date DESC\r\nLIMIT 100;\r\n<\/code><\/pre>\n<p>If you don&#8217;t run a Japanese-language site, every result here is malicious.<\/p>\n<h2>4. Where the Japanese SEO Spam Malware Hides<\/h2>\n<p>Like the pharma hack, the Japanese SEO spam family uses redundant persistence. Cleaning only the visible symptoms guarantees reinfection.<\/p>\n<h3>Location 1: Spam pages in <code>wp_posts<\/code><\/h3>\n<p>The most visible component. Auto-generated <code>post_type='post'<\/code> or <code>'page'<\/code> records, often with <code>post_status='publish'<\/code> and <code>post_date<\/code> clustered within a single hour. Frequently the <code>post_author<\/code> is a hidden admin user the attacker created.<\/p>\n<h3>Location 2: Auto-generated PHP files<\/h3>\n<pre><code class=\"language-bash\"># PHP files in \/wp-content\/uploads\/, cache directories, or unusual locations\r\nfind \/var\/www\/yoursite\/wp-content\/uploads\/ -name \"*.php\"\r\nfind \/var\/www\/yoursite\/ -name \"sitemap*.xml\" -newer \/var\/www\/yoursite\/wp-config.php\r\nfind \/var\/www\/yoursite\/ -name \"*.php\" -newer \/var\/www\/yoursite\/wp-config.php \\\r\n  | grep -vE \"(wp-includes|wp-admin|themes\/[a-z]|plugins\/[a-z])\/\"\r\n<\/code><\/pre>\n<p>Common drops include <code>wp-content\/uploads\/cache\/spam.php<\/code>, <code>news\/index.php<\/code>, <code>wp-content\/cache\/sitemap.xml<\/code>, and <code>wp-content\/uploads\/.spam\/<\/code>.<\/p>\n<h3>Location 3: <code>.htaccess<\/code> rewrite rules<\/h3>\n<p>The Japanese SEO spam often pairs the new URLs with rewrite rules that route them through a single PHP generator:<\/p>\n<pre><code class=\"language-apache\"># Injected at top of .htaccess\r\n&lt;IfModule mod_rewrite.c&gt;\r\nRewriteEngine On\r\nRewriteRule ^news\/.*$ \/wp-content\/uploads\/cache\/sp.php [L]\r\nRewriteRule ^p\/.*\\.html$ \/wp-content\/uploads\/cache\/sp.php [L]\r\nRewriteRule ^cache\/.*$ \/wp-content\/uploads\/cache\/sp.php [L]\r\n&lt;\/IfModule&gt;\r\n<\/code><\/pre>\n<p>Anything routing whole URL patterns to a single file in <code>\/wp-content\/<\/code> is malicious.<\/p>\n<h3>Location 4: Hidden admin user<\/h3>\n<pre><code class=\"language-sql\">SELECT u.ID, u.user_login, u.user_email, u.user_registered\r\nFROM wp_users u\r\nINNER JOIN wp_usermeta m ON u.ID = m.user_id\r\nWHERE m.meta_key = 'wp_capabilities'\r\n  AND m.meta_value LIKE '%administrator%'\r\nORDER BY u.user_registered DESC;\r\n<\/code><\/pre>\n<p>Look for accounts created within the same week the spam appeared. The author of the spam posts in <code>wp_posts<\/code> is usually this user.<\/p>\n<h3>Location 5: Verified Search Console owner<\/h3>\n<p>Already covered in Check 4. The attacker verifies via either:<\/p>\n<ul>\n<li>A hidden HTML file at <code>\/google[hash].html<\/code> in your webroot.<\/li>\n<li>A DNS TXT record (less common; rarely seen unless the attacker compromised hosting\/DNS too).<\/li>\n<\/ul>\n<p>Search both your webroot for any <code>google*.html<\/code> files you don&#8217;t recognize, and your DNS for unfamiliar <code>TXT<\/code> records starting with <code>google-site-verification=<\/code>.<\/p>\n<h3>Location 6: <code>mu-plugins<\/code> loader<\/h3>\n<pre><code class=\"language-bash\">ls -la \/var\/www\/yoursite\/wp-content\/mu-plugins\/\r\n<\/code><\/pre>\n<p>Most installs have nothing here by default. Anything you don&#8217;t recognize is suspicious.<\/p>\n<h3>Location 7: Encoded payload in <code>wp_options<\/code><\/h3>\n<pre><code class=\"language-sql\">SELECT option_name, LENGTH(option_value) AS size FROM wp_options\r\nWHERE LENGTH(option_value) &gt; 5000\r\n  AND (option_value LIKE '%base64_decode%'\r\n    OR option_value LIKE '%eval(%'\r\n    OR option_value LIKE '%str_rot13%')\r\nORDER BY size DESC LIMIT 20;\r\n<\/code><\/pre>\n<h3>Location 8: Sitemap injection<\/h3>\n<p>Look at every sitemap URL listed at <code>\/robots.txt<\/code> and the root XML sitemap. Any sitemap pointing to <code>\/wp-content\/cache\/<\/code>, <code>\/news\/<\/code>, or directories you don&#8217;t use is malicious.<\/p>\n<h2>5. tep-by-step Removal Protocol<\/h2>\n<p>These steps run in order. Skipping or reordering causes reinfection.<\/p>\n<h3>Step 0 \u2014 Backup the infected state for forensics<\/h3>\n<pre><code class=\"language-bash\">tar -czf infected-files-$(date +%Y%m%d-%H%M).tar.gz \/var\/www\/yoursite\/\r\nmysqldump -u root -p yoursite_db &gt; infected-db-$(date +%Y%m%d-%H%M).sql\r\n<\/code><\/pre>\n<p>Mark clearly as <strong>infected<\/strong>. Don&#8217;t restore from it later.<\/p>\n<h3>Step 1 \u2014 Maintenance mode<\/h3>\n<pre><code class=\"language-bash\">wp maintenance-mode activate\r\n<\/code><\/pre>\n<h3>Step 2 \u2014 Revoke the attacker&#8217;s Search Console access first<\/h3>\n<p>Before doing anything to your server, sign in to Google Search Console, go to <em>Settings \u2192 Users and permissions \u2192 Verified owners<\/em>, and remove the unauthorized owner. Then:<\/p>\n<ul>\n<li>Delete the <code>\/google[hash].html<\/code> file from your webroot.<\/li>\n<li>Remove any unauthorized <code>google-site-verification=<\/code> TXT record from your DNS.<\/li>\n<\/ul>\n<p>If you skip this step, the attacker can re-submit your sitemap and reindex spam URLs even after you&#8217;ve cleaned the server.<\/p>\n<h3>Step 3 \u2014 Replace WordPress core, themes, plugins<\/h3>\n<pre><code class=\"language-bash\">cp wp-config.php \/tmp\/wp-config.php.safe\r\ncp -r wp-content\/uploads \/tmp\/uploads.safe\r\n\r\nwp core download --force --skip-content\r\nwp plugin list --field=name | xargs -I {} wp plugin install {} --force\r\nwp theme list --field=name | xargs -I {} wp theme install {} --force\r\n\r\n# Delete every nulled or pirated plugin\/theme\r\n<\/code><\/pre>\n<h3>Step 4 \u2014 Empty the <code>mu-plugins<\/code> directory<\/h3>\n<pre><code class=\"language-bash\">rm -rf \/var\/www\/yoursite\/wp-content\/mu-plugins\/\r\nmkdir \/var\/www\/yoursite\/wp-content\/mu-plugins\/\r\n<\/code><\/pre>\n<h3>Step 5 \u2014 Clean <code>.htaccess<\/code><\/h3>\n<p>Replace with the WordPress default block. Check for any <code>RewriteRule<\/code> lines pointing to <code>\/wp-content\/<\/code> or directories you don&#8217;t use.<\/p>\n<h3>Step 6 \u2014 Delete the spam pages from <code>wp_posts<\/code><\/h3>\n<p>This is the high-volume part. Don&#8217;t delete posts containing Japanese characters one by one \u2014 write a single SQL query that captures the spam pattern:<\/p>\n<pre><code class=\"language-sql\">-- Identify what to delete first (always run a SELECT before a DELETE)\r\nSELECT ID, post_title, post_date, post_type\r\nFROM wp_posts\r\nWHERE (post_title REGEXP '[\u4e00-\u9faf]' OR post_content REGEXP '[\u4e00-\u9faf]')\r\n  AND post_author IN (SELECT ID FROM wp_users WHERE user_login IN ('the_rogue_admin'))\r\nLIMIT 200;\r\n\r\n-- Once you've reviewed and confirmed, delete:\r\nDELETE p, pm\r\nFROM wp_posts p\r\nLEFT JOIN wp_postmeta pm ON pm.post_id = p.ID\r\nWHERE (p.post_title REGEXP '[\u4e00-\u9faf]' OR p.post_content REGEXP '[\u4e00-\u9faf]')\r\n  AND p.post_author IN (SELECT ID FROM wp_users WHERE user_login IN ('the_rogue_admin'));\r\n<\/code><\/pre>\n<p>Replace <code>'the_rogue_admin'<\/code> with the actual hidden admin&#8217;s <code>user_login<\/code>. If the spam was attributed to the legitimate admin (rare but possible), use a date filter instead:<\/p>\n<pre><code class=\"language-sql\">DELETE p, pm FROM wp_posts p\r\nLEFT JOIN wp_postmeta pm ON pm.post_id = p.ID\r\nWHERE (p.post_title REGEXP '[\u4e00-\u9faf]' OR p.post_content REGEXP '[\u4e00-\u9faf]')\r\n  AND p.post_date &gt;= '2025-12-01'  -- adjust to when the spam appeared\r\n  AND p.post_status IN ('publish', 'draft', 'private');\r\n<\/code><\/pre>\n<p>After the delete, run:<\/p>\n<pre><code class=\"language-sql\">-- Clean orphaned terms and term_relationships\r\nDELETE FROM wp_term_relationships\r\nWHERE object_id NOT IN (SELECT ID FROM wp_posts);\r\n<\/code><\/pre>\n<h3>Step 7 \u2014 Remove unauthorized admins<\/h3>\n<pre><code class=\"language-sql\">DELETE FROM wp_users WHERE ID = &lt;rogue_id&gt;;\r\nDELETE FROM wp_usermeta WHERE user_id = &lt;rogue_id&gt;;\r\n<\/code><\/pre>\n<h3>Step 8 \u2014 Clean <code>wp_options<\/code><\/h3>\n<pre><code class=\"language-sql\">SELECT option_name, LENGTH(option_value) AS size\r\nFROM wp_options\r\nWHERE LENGTH(option_value) &gt; 50000\r\n   OR option_value LIKE '%base64_decode%'\r\n   OR option_value LIKE '%eval(%'\r\nORDER BY size DESC;\r\n<\/code><\/pre>\n<p>Review and delete suspicious entries.<\/p>\n<h3>Step 9 \u2014 Delete the spam files in <code>\/wp-content\/<\/code><\/h3>\n<pre><code class=\"language-bash\"># Files added since the infection began (adjust date)\r\nfind \/var\/www\/yoursite\/wp-content\/ -newer \/tmp\/known-clean-marker -type f \\\r\n  -not -path \"*\/uploads\/[0-9][0-9][0-9][0-9]\/*\"\r\n<\/code><\/pre>\n<p><code>\/wp-content\/uploads\/[year]\/[month]\/<\/code> should contain only your media uploads. Anything else in <code>\/wp-content\/<\/code> outside of plugin and theme directories deserves scrutiny.<\/p>\n<h3>Step 10 \u2014 Return 410 Gone for spam URLs (so Google deindexes them)<\/h3>\n<p>This is the step most cleanup guides skip and it is what makes the difference between a 7-day SEO recovery and a 6-month one.<\/p>\n<p>For a manageable list of spam URLs (under 500), add specific 410 rules to <code>.htaccess<\/code>:<\/p>\n<pre><code class=\"language-apache\"># Force 410 Gone for known spam patterns\r\n&lt;IfModule mod_rewrite.c&gt;\r\nRewriteEngine On\r\nRewriteRule ^news\/.* - [G,L]\r\nRewriteRule ^p\/.* - [G,L]\r\nRewriteRule ^cache\/.* - [G,L]\r\n&lt;\/IfModule&gt;\r\n<\/code><\/pre>\n<p>For larger spam URL counts, route everything matching the spam pattern through a 410 generator:<\/p>\n<pre><code class=\"language-apache\"># Send 410 for any URL that looks like the spam pattern\r\nRewriteCond %{REQUEST_URI} (\u6fc0\u5b89|\u30b3\u30d4\u30fc|\u507d\u7269|\u30b9\u30fc\u30d1\u30fc\u30b3\u30d4\u30fc)\r\nRewriteRule .* - [G,L]\r\n<\/code><\/pre>\n<p>Make sure every spam URL returns <strong>HTTP 410 Gone<\/strong>, not 404 \u2014 Google deindexes 410 about 30% faster than 404.<\/p>\n<p>Verify with <code>curl<\/code>:<\/p>\n<pre><code class=\"language-bash\">curl -I https:\/\/yourdomain.com\/news\/spam-page-slug\r\n# Should show: HTTP\/1.1 410 Gone\r\n<\/code><\/pre>\n<h3>Step 11 \u2014 Generate a clean sitemap<\/h3>\n<pre><code class=\"language-bash\"># If you use Yoast or RankMath, they regenerate automatically.\r\n# Otherwise:\r\nwp sitemap generate\r\n<\/code><\/pre>\n<p>Submit the new sitemap in Search Console (<em>Indexing \u2192 Sitemaps<\/em>).<\/p>\n<h3>Step 12 \u2014 Rotate every credential<\/h3>\n<p>Same as the pharma and redirect hack guides \u2014 WordPress passwords, database password, SFTP\/SSH, hosting control panel, and <code>wp-config.php<\/code> salts. Use:<\/p>\n<pre><code class=\"language-bash\">wp user list --field=ID | xargs -I {} wp user reset-password {}\r\ncurl https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/\r\n<\/code><\/pre>\n<h3>Step 13 \u2014 Verify the cleanup<\/h3>\n<pre><code class=\"language-bash\"># Should return zero\r\ngrep -rEln \"eval\\s*\\(|base64_decode|str_rot13\" \/var\/www\/yoursite\/ \\\r\n  | grep -vE \"(wp-includes|vendor|node_modules)\/\"\r\nfind \/var\/www\/yoursite\/wp-content\/uploads\/ -name \"*.php\"\r\n\r\n# Verify spam URLs return 410\r\nfor url in \/news\/test \/p\/test \/cache\/test; do\r\n  echo \"$url: $(curl -s -o \/dev\/null -w '%{http_code}' https:\/\/yourdomain.com$url)\"\r\ndone\r\n<\/code><\/pre>\n<h3>Step 14 \u2014 Remove maintenance mode<\/h3>\n<pre><code class=\"language-bash\">wp maintenance-mode deactivate\r\n<\/code><\/pre>\n<h2>6. Cleaning Google&#8217;s Index of the Spam URLs<\/h2>\n<p>Removing the malware doesn&#8217;t remove the spam from Google. You have to push Google to recrawl and deindex.<\/p>\n<h3>Step 1 \u2014 Submit the new clean sitemap<\/h3>\n<p>Already done in Step 11 above. This tells Google what the real URL set is.<\/p>\n<h3>Step 2 \u2014 Use the URL Removals tool for top spam URLs<\/h3>\n<p>In Search Console, go to <em>Indexing \u2192 Removals \u2192 New request<\/em>. For each highest-impact spam URL (your top 10\u201350), submit a temporary removal. This hides the URL from Google&#8217;s results immediately while the 410 propagates.<\/p>\n<h3>Step 3 \u2014 Submit a reconsideration request (if you have a manual action)<\/h3>\n<p>Go to <em>Security &amp; Manual Actions \u2192 Manual actions \u2192 Request review<\/em>. In the request, describe:<\/p>\n<ul>\n<li>The infection (Japanese SEO spam).<\/li>\n<li>The cleanup steps (paraphrase steps 2\u201313).<\/li>\n<li>The fact that all spam URLs now return 410 Gone.<\/li>\n<li>The prevention measures now in place.<\/li>\n<\/ul>\n<p>Reviews take 7\u201314 days for Japanese SEO spam, longer than for pharma because of the URL volume Google has to recrawl.<\/p>\n<h3>Step 4 \u2014 Track recovery<\/h3>\n<p>In Search Console <em>Performance<\/em> report, watch:<\/p>\n<ul>\n<li>Spam keyword impressions (<code>\u6fc0\u5b89<\/code>, <code>\u30b3\u30d4\u30fc<\/code>, etc.) drop to zero \u2014 typically within 14\u201330 days.<\/li>\n<li>Total indexed URL count drops back to your real number \u2014 typically within 30\u201390 days.<\/li>\n<li>Your real keyword impressions recover \u2014 typically within 30\u201390 days.<\/li>\n<\/ul>\n<p>For sites with 10,000+ spam URLs indexed, full recovery can take 3\u20136 months.<\/p>\n<h2>7. How to Prevent Reinfection<\/h2>\n<p>Japanese SEO spam infections recur in roughly 50% of sites within 30 days of cleanup if prevention isn&#8217;t in place. The recurring failure modes:<\/p>\n<h3>1. The original entry point wasn&#8217;t closed<\/h3>\n<p>Same as every WordPress hack: if the vulnerable plugin or theme remained, attackers re-enter and rebuild. Audit:<\/p>\n<ul>\n<li>All plugins in WPScan&#8217;s <a href=\"https:\/\/wpscan.com\/plugins\/\">vulnerability database<\/a>.<\/li>\n<li>Page-builder plugins (Elementor add-ons, WPBakery extensions) which have been a top entry vector for Japanese SEO spam in 2024\u20132026.<\/li>\n<li>Form plugins and &#8220;shortcode injector&#8221; plugins.<\/li>\n<\/ul>\n<h3>2. The Search Console verified-owner foothold remained<\/h3>\n<p>If you didn&#8217;t revoke the attacker&#8217;s verified ownership in Search Console, they can re-submit a sitemap and reindex spam without ever touching your server. This is the reinfection vector that surprises most cleanup teams.<\/p>\n<h3>3. The 410 responses weren&#8217;t actually 410<\/h3>\n<p>Sometimes a host or CDN config converts 410 into a soft 200 with empty content. Google never deindexes those. Always verify with <code>curl -I<\/code>.<\/p>\n<h3>4. No virtual patching for the next zero-day<\/h3>\n<p>Same problem as every other WordPress malware family. Virtual patching at the WAF blocks exploitation before the official plugin patch arrives.<\/p>\n<h3>A Prevention Checklist<\/h3>\n<ul>\n<li>Server-side malware scanning (outside the WordPress PHP process).<\/li>\n<li>WAF with virtual patching for top plugin CVEs.<\/li>\n<li>2FA enforced on every admin.<\/li>\n<li>Search Console verified-owner list reviewed quarterly.<\/li>\n<li>PHP execution disabled in <code>\/wp-content\/uploads\/<\/code>.<\/li>\n<li><code>DISALLOW_FILE_EDIT<\/code> and <code>DISALLOW_FILE_MODS<\/code> in <code>wp-config.php<\/code>.<\/li>\n<li>Post creation rate-limited (no legitimate site creates 1,000 posts in an hour).<\/li>\n<li>Daily off-server backups, restored quarterly to verify.<\/li>\n<li>Database scanning enabled.<\/li>\n<li>Hidden-admin-user detection enabled.<\/li>\n<li>Quarterly plugin\/theme audit.<\/li>\n<\/ul>\n<p>GuardianGaze&#8217;s server-side scanning catches the database-resident half of Japanese SEO spam that file-based plugins miss, and its WAF blocks the most common exploitation patterns before they reach WordPress. <a href=\"https:\/\/wordpress.org\/plugins\/guardian-gaze\/\">Get the free plugin<\/a> to start, or <a href=\"https:\/\/www.guardiangaze.com\/subscription\/\">see paid plans<\/a> for virtual patching.<\/p>\n<h2>8. Frequently Asked Questions<\/h2>\n<p><strong>Why is my WordPress site showing Japanese characters in Google search results?<\/strong><\/p>\n<p>Your site has the Japanese SEO spam hack \u2014 attackers have created auto-generated Japanese-language pages on your domain to monetize counterfeit-goods traffic. Visit any spam URL directly and you&#8217;ll see the page content; in your WordPress admin you&#8217;ll find new posts you didn&#8217;t create.<\/p>\n<p><strong>Will deleting the spam pages remove them from Google?<\/strong><\/p>\n<p>Eventually, but slowly. Deletion produces 404s, which Google deindexes after multiple recrawls (often 4\u20138 weeks). Returning <strong>410 Gone<\/strong> instead deindexes about 30% faster. Combined with the Search Console URL Removals tool for top URLs, you can clear the most damaging URLs from search results within a week.<\/p>\n<p><strong>Why do I see new Japanese pages even after cleaning my server?<\/strong><\/p>\n<p>Two common reasons. First: the attacker is still verified as a Search Console owner and is re-submitting sitemaps. Revoke that access immediately. Second: a database loader you missed is regenerating the pages every time WP-Cron runs. Check <code>wp_options<\/code> for encoded payloads and review every scheduled cron event.<\/p>\n<p><strong>Can a security plugin detect Japanese SEO spam?<\/strong><\/p>\n<p>Most plugins detect the file-resident parts (the rewrite rules in <code>.htaccess<\/code>, the PHP generator file in <code>\/wp-content\/uploads\/<\/code>) but miss the database half \u2014 the auto-generated posts in <code>wp_posts<\/code>, the loader in <code>wp_options<\/code>, and the hidden admin user. Plugins running inside the WordPress PHP process can also be tampered with by sophisticated variants of this malware. Server-side scanning that runs outside WordPress is more reliable.<\/p>\n<p><strong>How did the Japanese SEO spam get on my site?<\/strong><\/p>\n<p>The most common 2024\u20132026 entry vectors: an outdated page-builder plugin or add-on (40%), an outdated form plugin (20%), a nulled or pirated premium plugin\/theme (20%), a brute-forced admin password (10%), and shared-hosting cross-contamination (10%).<\/p>\n<p><strong>Why does the Japanese SEO spam target my site if I&#8217;m not in Japan?<\/strong><\/p>\n<p>Counterfeit-goods spam targets Japanese-speaking buyers regardless of where the <em>host<\/em> site is. Attackers prefer compromised non-Japanese sites because they have established Google trust and rank well in international SERPs. Your domain is just a doorway; the actual buyer-facing storefront is hosted elsewhere.<\/p>\n<p><strong>Should I disavow the spam URLs in Search Console?<\/strong><\/p>\n<p>No. Disavow is for backlinks pointing <strong>at<\/strong> your site. The Japanese SEO spam URLs <strong>are<\/strong> on your site, so they deindex when you delete them and serve 410. Don&#8217;t waste time on disavow files for this.<\/p>\n<p><strong>My site still ranks for Japanese keywords months after cleanup. Why?<\/strong><\/p>\n<p>Two possibilities. Either some spam URLs are still returning 200 instead of 410 (verify with <code>curl -I<\/code> for a few suspect URLs), or Google hasn&#8217;t recrawled them yet. Submit a fresh sitemap, use the URL Removals tool, and use <em>URL Inspection \u2192 Request indexing<\/em> on your most important real pages to push Google to recrawl your domain in general.<\/p>\n<h2>Continue Reading<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.guardiangaze.com\/blog\/wordpress-pharma-hack\/\">WordPress Pharma Hack: Detection, Removal &amp; Prevention<\/a> \u2014 the cousin black-hat SEO infection.<\/li>\n<li><a href=\"https:\/\/www.guardiangaze.com\/blog\/wordpress-redirect-hack\/\">WordPress Redirect Hack: Detection &amp; Removal Guide<\/a> \u2014 for sites with redirect-based variants.<\/li>\n<li><a href=\"https:\/\/www.guardiangaze.com\/blog\/wordpress-hacked-signs-and-fix\/\">Website Hacked? 17 Signs Your WordPress Site Is Compromised<\/a> \u2014 early-warning checklist.<\/li>\n<li><a href=\"https:\/\/www.guardiangaze.com\/blog\/wordpress-malware-removal-2026-complete-detection-removal-protocols\/\">WordPress Malware Removal 2026: Complete Detection &amp; Removal Protocols<\/a> \u2014 the broader playbook.<\/li>\n<\/ul>\n<p><strong>Stop the next Japanese SEO spam infection at the door.<\/strong> GuardianGaze&#8217;s server-side scanning catches database-resident malware that ordinary plugins miss, and its WAF blocks the exploitation patterns these campaigns rely on. <a href=\"https:\/\/wordpress.org\/plugins\/guardian-gaze\/\">Install the free plugin<\/a> or <a href=\"https:\/\/www.guardiangaze.com\/subscription\/\">see paid plans<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Japanese SEO spam hack (also called the Japanese keyword hack) injects thousands of auto-generated Japanese-language pages into your WordPress site. The&hellip;<\/p>\n","protected":false},"author":1,"featured_media":118,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-115","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/posts\/115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/comments?post=115"}],"version-history":[{"count":2,"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/posts\/115\/revisions"}],"predecessor-version":[{"id":117,"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/posts\/115\/revisions\/117"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/media\/118"}],"wp:attachment":[{"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/media?parent=115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/categories?post=115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/tags?post=115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}