You search for your own website on Google. But instead of your English (or local language) description, you see strange Japanese characters.
You click the link, and it takes you to a store selling fake luxury bags or illegal medicine.
This is the Japanese Keyword Hack (also known as the “Japanese SEO Spam”).
It is one of the nastiest hacks in 2026. It doesn’t just break your site; it hijacks your reputation. Hackers use your server to create thousands of fake pages, tricking Google into ranking them. Even after you clean the virus, these pages can stay in Google for months if you don’t fix it properly.
In this guide, we will show you how to remove the infection and—most importantly—how to scrub these fake results from Google fast.
How the Hack Works
This hack is tricky. It uses a technique called Cloaking.
When YOU visit: The site looks normal. You log in, check your posts, and everything seems fine.
When GOOGLE visits: The virus detects the “Googlebot.” It swaps your content for Japanese spam text.
This is why you can’t find the text by just “editing your posts.” The text isn’t in your posts. It is being generated on the fly by a hidden script deep in your server.
Check your site: Type site:yourdomain.com into Google.
Do you see pages you didn’t create?
Do you see Japanese characters? If yes, you are infected.
Cleaning the Infection (File & Database)
We need to kill the engine that is generating these pages.
Step 1: Check the wp-config.php File
Hackers love this file. It controls your database connection.
Connect via FTP (FileZilla).
Open
wp-config.php.Look for strange “include” lines at the top or bottom that reference random files like
.icoor hidden PHP files.Compare it to a clean version (you can find the default code on WordPress.org). Remove the junk code.
Step 2: Replace Core Files
Because this hack hides deep in your system, the safest fix is to replace your core files.
Download a fresh copy of WordPress.
Delete
wp-adminandwp-includesfrom your server.Upload the fresh copies from your computer.
Tip: This ensures no “backdoors” are hiding in your system folders disguised as legitimate files.
Step 3: Find the “Sitemap” Generator
This is the secret weapon of the Japanese Hack. It creates a fake sitemap.xml to feed Google thousands of spam links.
Check your root folder (public_html).
Look for files like
sitemap.xml,sitemap_index.xml, or strange names like123.php.If you didn’t generate them (via Yoast or RankMath), delete them.
Check your
robots.txtfile. Hackers often modify it to point Google to their fake sitemap.
Step 4: Scan the wp-content/uploads Folder
Hackers hide scripts here because it is a writable folder.
Look for any file ending in
.phpinside your uploads folder.Rule: There should be NO PHP files in
wp-content/uploads. Only images (.jpg, .png, .pdf). Delete any PHP file you find there.
Cleaning the Database
Sometimes the hack injects users into your database.
Log in to your Dashboard.
Go to Users > All Users.
Do you see “Administrator” accounts you don’t recognize? (e.g.,
admin123,x7z_manager).Delete them immediately.
Fixing Google (The Hard Part)
You cleaned the files. But Google still shows Japanese results. Why?
Because Google has “Indexed” those thousands of fake pages. We need to tell Google they are gone.
Step 1: Return “410 Gone”
You need to make sure that if a user clicks a spam link, they see a 404 Not Found (or 410 Gone) error. They must not see your homepage or a redirect.
Test a spam link from Google. Does it show a 404 page on your site?
Yes: Good. Google will eventually remove it.
No: The hack is still active. Go back to Part 2.
Step 2: Use the “Removals” Tool
Log in to Google Search Console.
Go to Removals (on the left menu).
Click New Request.
Select “Remove all URLs with this prefix.”
Type the pattern of the spam files (e.g., if they are all in a folder like
/shop/, enter that).Warning: Be careful. Don’t remove your real content. If the spam URLs are random, you cannot use this bulk tool safely. You just have to wait for Step 3.
Step 3: Resubmit Your Sitemap
Generate a clean sitemap using Yoast SEO or RankMath.
Go to Sitemaps in Search Console.
Submit your new, clean
sitemap_index.xml.This forces Google to re-scan your site and realize the bad pages are gone.
Prevention
This hack usually enters through outdated plugins.
Update Everything: Keeping plugins updated is 90% of security.
Turn off “File Editing”: Add
define( 'DISALLOW_FILE_EDIT', true );to yourwp-config.php.Install Wordfence: The free version detects SEO spam signatures very well.
Conclusion
The Japanese Keyword Hack is terrifying because it attacks your SEO directly.
Recovery Timeline:
Cleaning Files: 1-2 Hours.
Google Recovery: 2-6 Weeks.
You must be patient with Google. As long as your server sends a “404 Error” for the spam links, they will drop out of the search results eventually.
Can’t Find the Cloaking Script? This hack is famous for re-infecting sites if you miss a single file. If the Japanese text comes back tomorrow, the virus is deeper in your server.
Contact Our Malware Removal Team. We specialize in SEO Spam removal. We can clean the infection, secure the backdoors, and handle the Google Search Console cleanup for you.
