How to Identify and Fix the Japanese keyword hack

Last Update: May 21, 2019. Added the How to Remove your Japanese Hacked Pages from Google index Guide

What is a Japanese keyword hack

This is a spam related hack where hackers inject Japanese words in your WordPress site title and description while it manipulates your Google Search Console site property and any submitted sitemaps. The search engine usually ends up choosing the one in the featured picture above. Hackers take advantage of this type of malware by inserting links to other sites into your pages, which are linked to their affiliate id, tricking your visitors and redirecting them to sites selling fake brand merchandise at half of the original price. Every time someone buys a product from those sites, the hacker will receive a commission for the sale.

How to find if your site is infected by the Japanese keyword hack

Step 1: Check Google Search Engine Results

Since this hack is only visible by search engines identifying infected pages in your WordPress website is not an easy task. One way to spot the hack is to run a search query in Google for your domain for example “yourdomain.com” or “site:yourdomain.com” and see if the results display any Japanese words in your site title and description.

Step 2: Check your Google Search Engine Console for malware penalties

Most of our clients who ask us to clean their hacked WordPress site found out about the Japanese hack after receiving a warning in their Google Search Console account, similar to the one found below:

“Google has detected that your site has been hacked by a third party who created malicious, unexpected or harmful content on some of your pages. This issue affects your site’s reputation by showing the hacked content on your site or in search results. We recommend you remove the hacked content from your site as soon as possible. Once removed, our system will automatically reflect these changes as we update our index.
Following are some example URLs. Review them to gain a better sense of where this hacked content appears, and how it may have been placed on your website. The list is not exhaustive.“

Even if you never received any such message you need to visit the Security Issues Page withing your GSC and see if there is any warning present.

Step 3: Check for URL cloaking

In the previous Step, we asked you to check Google’s search engine results for your domain, if you followed any of those spammy links from your site and got redirected to your site 404 default page then you need to make sure this link isn’t cloaked. URL cloaking shows a different version of your page to the search engines and real human visitors. This way you will see that your site contains the Japanese hack in Google’s search engine results but if you try and visit that page you will be redirected to a not found page. Once more you can use Google Search Console and it’s “Fetch as Google” tool which lets you see if the requested URL is cloaked or not.

If you ever find yourself in this position then you must clean your site as soon as possible because Google will blacklist your website and your site visitors won’t be able to find it in Google’s search engine results nor visit it through their Chrome browsers. The longer you leave the hack in your website the bigger the damage.

How to clean the WordPress Japanese keyword hack

Considering that your hosting provider can’t help you in removing the Japanese spam malware, then you need to take action and remove the hack by cleaning your WordPress website. Below we’re attaching a simple guide which can help you spot and remove such malware. Keep in mind, though, that if you’re not experienced enough in malware cleanups you may not be able to fully clean your WordPress site.

Step 1: Create a backup of your site and archive it by compressing it

Use your hosting panel and create a backup of your live site, make sure the backup file is compressed(for example a zip file) so malware can’t start infecting the site again once its clean.

Step 2: Check your Google Search Engine Console

Log into your Google Search Engine Console and navigate to the sitemaps page, delete any sitemap which wasn’t submitted by you. You also need to take a look at the users who have access to this site property and remove any Owners or Users not created by you.

Step 3: Clean your .htaccess file

Use your Hosting Panel File Manager or an FTP client like Filezilla and browse to your WordPress site root directory. In there you should see a file under the name .htaccess, access it and see if there are any weird rules present. If you’re not experienced in working with .htaccess then delete it and create a new one using the same name. Then add the default WordPress htaccess rules and save it.

Step 4: Copy your WordPress configuration database connection strings

Another important file that hackers like to target and inject malware is your WordPress configuration file: wp-config.php. Experienced WordPress users can browse its contents and delete those who don’t seem to belong to wp-config.php default contents. If you don’t want mess with editing this important WordPress file then I suggest to copy your WordPress database connection strings and paste them inside the wp-config-sample.php replacing the default ones. Then go and delete wp-config.php file and rename wp-config-sample.php to wp-config.php.

Step 5: Replace your WordPress core files

Best and safest way for cleaning a hack or malware infection is to delete all of your site files and re-upload them freshly downloaded from WordPress.org. After writing down the WordPress version your site is using, delete all WordPress root core files and WordPress core directories. Then download the WordPress version your site was using from WordPress.org and upload all files and dirs your deleted.

Step 6: Replace all of your WordPress themes and plugins

In this step, you will repeat the replacement process of all your WordPress themes and plugins. You first need to write down all their names and versions, then download them from WordPress.org or any other site you first found them. Finally, delete all current theme and plugin dirs and upload the ones you just downloaded. You should also replace your wp-content/index.php file with the default one.

Step 7: Check your uploads dir

Browse your wp-content/uploads directory for any .php, .js and .ico files. Whenever you find one check if it has a weird file name and if its creation date was a recent one, also check its content for weird characters and strings like “base64_decode, rot13, eval, strrev, gzinflate“. If you find any such file then delete it. Keep in mind that your media files directories under wp-content/upload shouldn’t contain any .php, .js or .ico files so if you find any delete them right away.

Step 8: Ask Google to re-examine your site

Once finished I suggest you monitor any files changes made in your site for the next day, then audit them, and if they seem legit ask Google from your Search Console to re-consider your site. After a few days, they will send you a reply and hopefully whitelist your site again.

How to Remove your Japanese Hacked Pages from Google index

Most of the times a WordPress site infected by the Japanese Spam Malware has already a ton of those hacked pages indexed by Google. Even though your WordPress site is now clean you still need to wait for Google to drop those hacked pages. If you don’t want to wait and put in risk your site and brand reputation you should proceed and ask Google to remove the hacked pages URLs using their URL Removal Tool under your Google Search Console.

Cleaning so many WordPress sites infected with the Japanese Spam Hack we have created a specific procedure for you to follow in order to ask Google to de-index and remove your Japanese hacked pages. Even though this is a simple procedure you need to be very careful so you won’t end up removing all of your website pages from Google’s index.

1. Remove Hacked Pages from Google Manually

Step 1: Search Google for your site indexed pages by using site:yoursite.com

Step 2: Browse all of the search results and write down all the Japanese hacked page URLs into a CSV file

Step 3: Log into your Google Search Console and visit the URL Removal Tool page

Step 4: Submit each of those Japanese spam pages into the Remove outdated content tool and request for the removal

If your spam indexed pages contain “index.php” as a part of their permalink then you need to submit its URLs twice with and without the index.php.

Google only needs a few hours in order to start removing the submitted URLs.

2. Remove Hacked Pages from Google Automatically

If your hacked WordPress site has more Japanese spam pages indexed by Google than what you can handle then we suggest taking a look at our automated spam page removal guide which is found below. This guide should be followed carefully because any wrong move may risk your site SEO efforts.

If you don’t feel comfortable using this guide and you still need to remove your Japanese hacked pages from Google’s search results then we suggest taking a look at our own Malware Removal Services for WordPress sites.

Step 1: Visit your Google Search Console Coverage Report

Step 2: Select the Valid Pages option

Step 3: Visit the Indexed, not submitted in sitemap Page and request to download a list of those URLs as a CSV file

Step 4: Duplicate the CSV file and strip the “index.php” permalink for each and any of the URLs which contains it

So now you should have two CSV files, the first one will be the default CSV as downloaded from your Google Console while the second one will be the same but without the index.php permalink for each URL.

This is necessary because even though Google has indexed the Japanese Hacked page using the index.php, for example, https://yoursite.com/index.php/hd5jhuyuiy/9h_jgfd-swkj if you visit that page(and bypass your antivirus warning) then you’ll be redirected to a similar page but without the index.php in its permalink, for example, https://yoursite.com/hd5jhuyuiy/9h_jgfd-swkj. This means that you must ask Google to remove both the indexed spam page and its redirect.

Step 5: Download and install Bulk URL Removal Extension for Google Chrome

There is a neat Google Chrome extension in Github for removing Google Search Index outdated content in bulk which will help you automate the removal process. You need to manually install this extension while using the Developer Chrome mode, if that sounds Japanese to you then follow our screencast below:

Step 6: Load the CSV file into Google’s Content Removal Tool

While logged into your Google Search Console visit the Removal Outdated Content Page and use the “Upload your file” option which has been added after installing the Bulk Content Removal Extention in order to upload the CSV with your “indexed, not submitted in sitemap” URL list. Make sure to run the procedure twice, once for each CSV file.

Once the CSV has been submitted the extension will automatically start submitting the listed URLs.

Each URL submission will be analyzed and requested for removal automatically.

if the submission succeeds then you will receive a notice like the one shown below:

If one of the listed URLs for removal has been already submitted then a warning will pop up, you can bypass it by selecting the “Cancel” option. In this case the extension will continue submitting the next URL in the list.

Notice:

This tutorial should be followed carefully or else your site may have loading issues. Be aware, however, that cleaning malware through a tutorial may not lead success all of the time since there are many other things which can’t be displayed in a tutorial to consider when cleaning a WordPress site. If you don’t feel comfortable in your ability to clean your WordPress site, then feel free to request a quote from us for the removal of the Japanese keyword hack from your WordPress site.

Infected with Pharma Hack?

If your WordPress site was infected with the Pharma Hack Spam Malware then we suggest to take a look at our recent guide on how to Detect, Clean And Secure Your WordPress Site From The Pharma Hack.