The Ultimate Guide to Cleaning the Japanese Keyword Hack from Your WordPress Site

Discovering your website has been hacked is a heart-stopping moment. One minute, you're proud of your online presence; the next, you search for your brand on Google and see a string of Japanese or Chinese characters where your page titles and descriptions should be. The feeling of dread is quickly amplified by confusion and a sense of violation. If this is happening to you, you've been hit by a specific and frustratingly common type of malware known as the "Japanese Keyword Hack" or SEO spam.

Before you panic, take a deep breath. The first thing to know is this: you are not alone, and this is absolutely fixable. The goal of this particular attack is not to delete your site or steal your customers' credit card information. Instead, the attackers are hijacking your website's most valuable asset: its reputation with Google. They create thousands of hidden spam pages on your site filled with their own keywords and links, typically promoting counterfeit goods or illicit products. By leveraging your domain's authority, they can get these spammy pages to rank in search results, a feat they could never accomplish with a brand-new domain.

Cleaning this infection requires a methodical, patient, and thorough approach. It's not enough to just delete a few suspicious files you might find. This type of malware is insidious, weaving itself into the fabric of your website. It can hide in your database, disguise itself within your core WordPress files, and tuck itself away in seemingly innocent plugin and theme folders. Rushing the cleaning process or missing a single step is like leaving a single ember in a dry forest—it will almost certainly flare up again, leading to a frustrating reinfection weeks or months later. This comprehensive guide is designed to be your definitive step-by-step manual for taking back control. We will walk you through every stage, from immediate damage control and deep cleaning to hardening your site and repairing the damage done to your search engine reputation. It's a meticulous process, but by following these steps carefully, you can fully eradicate the infection and build a much stronger, more secure website for the future.

Immediate First Steps: Damage Control and Containment

Before you start digging into files and databases, you need to put out the immediate fires, contain the threat, and prepare for the task ahead. Think of this as first aid for your website. Do not skip these crucial preliminary steps.

1. Contact Your Hosting Provider: Your very first call or support ticket should be to your host. A good provider is your most valuable ally in this situation. Inform them that you've been hacked and suspect the Japanese Keyword Hack. At ENGINYRING, our support team can immediately assist by:
   • Checking Server Logs: We can analyze access logs to identify the IP addresses the attacker used and pinpoint the time the attack occurred. This can provide clues as to how they got in.
   • Scanning for Malware: We can run a server-level malware scan, which can sometimes find malicious files that WordPress-level plugins might miss.
   • Providing Guidance: We can offer advice specific to your hosting environment and help you locate tools like phpMyAdmin and File Manager.
2. Change Your Passwords (The First Time): Assume that the attacker may have your login credentials. You need to lock them out immediately. Change the password for your main hosting account control panel (e.g., DirectAdmin) and any FTP/SFTP accounts you have. This is a critical first containment step. We will change all passwords again after the site is clean, but this initial change can prevent the attacker from doing more damage while you work.
3. Put Your Site into Maintenance Mode: You do not want your valued visitors or Google's crawlers to land on spam-filled pages. This damages your reputation and can cause Google to de-index your legitimate pages. The easiest way to temporarily take your site offline for the public is with a simple maintenance mode plugin.
   • From your WordPress dashboard, go to Plugins > Add New.
   • Search for "WP Maintenance Mode" or "SeedProd". Both are popular and reliable options.
   • Install and activate the plugin. In its settings, you can enable maintenance mode. This will show a friendly, customizable message to your visitors while allowing you, as the logged-in administrator, to see and work on the live site.

The Deep Cleaning Process: A Step-by-Step Guide to Eradication

Now we begin the methodical process of finding and removing every trace of the malware. This requires patience and attention to detail. Follow these steps in the exact order they are presented to ensure a complete cleanup.

Step 1: Create a Full Backup of the Infected Site

This may sound completely counterintuitive. Why would you want a backup of a hacked site? The reason is simple: it's your safety net. The cleaning process involves deleting files and modifying your database. It is possible to make a mistake and delete a critical file that breaks your site entirely. Without a backup, you would have no way to get back to where you started. This backup is a temporary snapshot that allows you to undo any catastrophic errors during the cleanup. Most hosting control panels, including DirectAdmin, have a built-in backup tool. Use it to generate and download a full backup (both files and the database) to your local computer. Once the site is clean, you will delete this infected backup.

Step 2: Scan Your Site with a Security Plugin

A good security scanner is your best friend in this process. It will act as your guide, creating a map of the infection for you to follow. These plugins maintain a database of known malware "signatures" (unique snippets of malicious code) and can also check the integrity of your core WordPress files against the official versions. Two of the best and most reliable options are:

• Wordfence Security: The free version of Wordfence includes a powerful and highly configurable malware scanner.
• Sucuri Security: Sucuri's free plugin also offers a great remote scanner that can quickly identify malware, injected spam, and whether your site has been blacklisted by search engines.

Install one of these plugins from your WordPress dashboard (Plugins > Add New), activate it, and launch a full scan. It's important to set the scan sensitivity to "High" or "Paranoid" to ensure it checks every file. The scan may take some time to complete. When it's done, review the results carefully. It will likely find modified core files, suspicious files in your uploads directory, and potentially malicious code injections in your database. Do not use the automatic "repair" or "delete" functions yet. For now, use this list of flagged files as your roadmap for the following manual steps.

Step 3: Manually Identify and Remove Malicious Files and Folders

Armed with your scan results, it's time to manually inspect your site's files. You can do this using an FTP client like FileZilla or, more easily, the "File Manager" application within your hosting control panel. Pay extra attention to these common hiding spots:

• The `wp-content/uploads` directory: Hackers love this folder. It's where your images and media are stored, and it typically has file permissions that allow new files to be created. They will often hide malicious PHP scripts here, sometimes disguised with names like `cache.php` or with random character names. Look for any file ending in .php, .js, or .ico that is not a legitimate media file you uploaded.
• The `wp-includes` and `wp-admin` directories: These folders contain the core code of WordPress. Hackers often place files with random names (e.g., `ds-123.php`, `tmp.php`) inside these folders, hoping they will blend in with the hundreds of legitimate files.
• Theme and Plugin Folders: Look inside the folders for your themes and plugins (`wp-content/themes/` and `wp-content/plugins/`). Look for any suspicious-looking files that aren't part of the official package you installed.

A very useful trick is to sort the files in these directories by "Last Modified Date." Malicious files will often have a very recent modification date that doesn't align with your own activity or official plugin update dates. Carefully delete any files that you are 100% certain are malicious (based on the scan results and your own investigation). If you are unsure about a file, rename it by adding `.disabled` to the end of the filename. This will deactivate the file without permanently deleting it.

Step 4: Clean the Database of Spam Content

This is the most critical and delicate step for removing the Japanese spam pages. The hack works by programmatically adding thousands of new "posts" to your WordPress database. These aren't visible on your blog, but they are present in the database and are being indexed by Google. You need to remove them directly from the database table.

• Log in to phpMyAdmin from your hosting control panel (e.g., DirectAdmin).
• On the left-hand side, you'll see a list of your databases. Select the one that corresponds to your WordPress installation.
• A list of tables will appear. Find and click on the `wp_posts` table. (Note: your table prefix might be different from `wp_`). This table contains all of your pages, posts, and other content types.
• Click on the "Search" tab at the top of the page. This will open a search interface.
• Scroll down until you find the row for the `post_content` column. In the "Value" field for this row, paste in a small, unique snippet of the Japanese text you saw in the Google search results. Make sure the "Operator" dropdown next to it is set to "LIKE %…%".
• Click the "Go" button at the bottom right. phpMyAdmin will now search the entire table and show you all the rows (posts) that contain that spam text.
• Review the results to be absolutely sure they are all spam and do not include any of your legitimate pages. Once confirmed, you can check the "Select all" box and click the "Delete" link to remove them. You may need to repeat this search process several times with different spammy keywords to find and eliminate all the infected posts. Be extremely careful during this step.

Step 5: Replace WordPress Core Files

You can never fully trust the core files of a hacked website. A sophisticated attacker can modify them in ways that are difficult for scanners to detect. The only way to be 100% certain that your WordPress core is clean is to replace it entirely with fresh, untouched files from the official source.

• Go to the official WordPress.org website and download a fresh ZIP file of the latest version.
• Unzip the file on your local computer.
• Using your FTP client or File Manager, navigate to the root directory of your website on the server.
• Carefully delete the `wp-admin` and `wp-includes` directories from your server.
• Upload the fresh `wp-admin` and `wp-includes` directories from the copy you downloaded to your server.
• Finally, upload the individual files from the root of the fresh WordPress folder (e.g., `index.php`, `wp-login.php`, etc.) to your server's root, choosing to overwrite the existing files when prompted. Crucially, do not delete or overwrite your existing `wp-config.php` file or your entire `wp-content` directory, as these contain your unique settings, themes, plugins, and uploads.

Step 6: Clean and Reinstall All Themes and Plugins

Just like the core files, you must assume that every single one of your themes and plugins has been compromised. Hackers often inject malicious code into these files because they are frequently executed. Do not waste time trying to find the malicious code. The only safe and guaranteed method is to delete everything and reinstall from official sources.

• In your WordPress dashboard, make a list of all the plugins you are actively using.
• Using FTP or File Manager, navigate to the `wp-content/plugins` directory and delete all the folders inside it, except for the security plugin you installed in Step 2.
• Navigate to the `wp-content/themes` directory. Delete all the theme folders except for the current default WordPress theme (e.g., "twentytwentyfour").
• Now, log in to your WordPress admin dashboard. Go to the Plugins and Themes sections. You will see that most are missing. Reinstall your themes and plugins one by one, either from the official WordPress repository or by downloading a fresh copy from the trusted developer's website if it's a premium product.

Step 7: Inspect `wp-config.php` and `.htaccess` Files

These two files in your root directory are powerful configuration files and are therefore prime targets for hackers. Open your `wp-config.php` file and carefully read through it. It should primarily contain your database connection details (name, user, password) and a set of unique authentication keys. If you see any strange, long strings of obfuscated code or unfamiliar functions (like `eval` or `base64_decode`), it is likely malicious. You can compare your file to the `wp-config-sample.php` file from a fresh WordPress download to see what a clean one should look like.

Next, find and delete your `.htaccess` file. Don't worry, this is safe. WordPress will regenerate a clean, default version for you. To do this, simply go to your WordPress admin dashboard, navigate to Settings > Permalinks, and without changing anything, just click the "Save Changes" button. This action will create a fresh, clean `.htaccess` file.

Step 8: Check for Rogue Administrator Users

A common tactic for hackers is to create a hidden administrator user account. This gives them a persistent "backdoor" into your site, allowing them to regain access even after you've changed your own password. In your WordPress dashboard, go to Users > All Users. Carefully review the list of every single user. If you see any user with the "Administrator" role that you do not recognize, hover over their name and click the "Delete" link immediately. WordPress will ask you what to do with their content; you can either delete it or attribute it to your own user account.

Post-Cleaning: Securing Your Site and Repairing the SEO Damage

Once the malware is gone, your work is not finished. Now you must bolt the doors, change the locks, and clean up the mess the intruders left behind in the public eye.

1. Change EVERY Password (Again): Now that your site is confirmed to be clean, it's time to change every single password associated with it. This is a "scorched earth" policy to ensure any potentially compromised credential is now useless. This includes:
   • All WordPress user passwords (especially for administrators).
   • Your database password (this is done in your hosting control panel, and you must then update the new password in your `wp-config.php` file).
   • Your FTP/SFTP account passwords.
   • Your main hosting account password.Use unique, strong, randomly generated passwords for everything.
2. Update Everything and Implement Hardening: Ensure your WordPress core, all of your plugins, and all of your themes are updated to their latest versions. Outdated software is the number one way hackers gain entry. Now is also the time to implement the security measures from our VPS Hardening guide, such as configuring Fail2ban and a proper firewall.
3. Use Google Search Console to Clean Up Search Results: This is essential for fixing the SEO damage. Log in to Google Search Console and verify your site if you haven't already.
   • Submit a new Sitemap: In the Search Console menu, go to "Sitemaps". Enter your sitemap URL (usually `sitemap.xml`) and click "Submit". This tells Google to re-crawl your legitimate pages and helps it discover that the spam pages are gone.
   • Use the Removals Tool: This is a powerful tool for getting spam out of search results quickly. Go to "Removals" > "Temporary Removals" and click "New Request". The hack often creates spam pages in a specific subdirectory (e.g., `yourdomain.com/store/a-bunch-of-spam-pages/`). You can use the "Remove all URLs with this prefix" option to request the removal of an entire spam directory at once. This is a temporary fix (6 months), but it cleans up the public-facing damage while Google re-indexes your site properly.
4. Request a Review from Google: If Google has flagged your site with a security warning in search results, you will see a "Security Issues" report in Search Console. Once you are absolutely certain the site is clean, you can use this report to describe the steps you took to fix the issue and request a review. Google will then re-scan your site, and if it's clean, they will remove the warning.

Conclusion: Building a Stronger, More Resilient Foundation

Cleaning a hacked WordPress site is a stressful and meticulous process, but it is an achievable one. By following these steps methodically, you can successfully remove the Japanese Keyword Hack and reclaim your website. More importantly, this experience serves as a critical lesson in the importance of proactive security. A secure website is not a one-time fix; it's the result of good habits, regular maintenance, and building on a solid foundation. The best way to deal with a hack is to prevent it from ever happening in the first place.

The security of your website starts with the security of your hosting environment. At ENGINYRING, we provide a secure and optimized foundation for your projects, but security is a shared responsibility. We encourage all our clients to follow best practices like using strong passwords, keeping software updated, and implementing security plugins. If this cleaning process seems too daunting, or if you'd rather have an expert handle your website's security and maintenance, our managed hosting solutions can provide you with peace of mind. Contact our team today to learn how we can help you build a more secure and resilient online presence.