Japanese Keyword Hack on WordPress: How Hackers Hijack Your SEO and You Don't Even Know

Your site looks fine. Google tells a different story.

Log into WordPress. Check your pages. Check your posts. Everything is exactly as you left it. Your homepage loads correctly. Your contact form works. Your blog posts are intact. There is absolutely no sign that anything is wrong.

Now open Google and type site:yourdomain.com. Scroll past your normal pages. And then you see them. Hundreds — sometimes thousands — of pages you never created. The titles are in Japanese. The URLs contain random strings or are nested deep in subdirectories you did not create. The descriptions reference counterfeit designer goods, gambling sites, or pharmaceutical spam.

This is the Japanese keyword hack. And it is one of the most damaging attacks a WordPress site can suffer, because it specifically targets the one thing you cannot easily monitor from inside your own dashboard: how your site appears in search results.

The hacker is not interested in your site itself. They do not want your data, your customer list, or your content. They want your domain authority. They are using the trust that Google places in your domain to rank their spam pages. Every day those pages stay indexed, your domain reputation takes damage. And you have no idea it is happening.

How the Japanese keyword hack actually works

This is not a simple defacement where someone replaces your homepage with a message. The Japanese keyword hack is sophisticated, deliberate, and designed to stay hidden for as long as possible.

Stage 1: Getting in

The attackers need a way into your WordPress installation. The most common entry points are:

• Vulnerable plugins: Plugins with known security vulnerabilities that have not been patched. The attacker scans thousands of sites for specific plugin versions with known exploits. If you are running an outdated version of a popular plugin, your site is a target.
• Weak passwords: Brute-force attacks against wp-login.php using common passwords. If your admin password is "admin123" or "password1" or your business name followed by a year, automated tools will crack it in minutes.
• Vulnerable themes: Themes from untrusted sources — especially nulled (pirated) premium themes — often contain built-in backdoors. The theme works fine, but it also gives the attacker remote access to your file system.
• Compromised hosting accounts: If another site on the same shared hosting is compromised, the attacker can sometimes pivot to your site through shared server resources.

Stage 2: Installing the payload

Once inside, the attacker does not modify your existing pages. Instead, they:

• Add themselves as a hidden admin user (often with a legitimate-looking username)
• Install PHP backdoor files in locations you rarely check — deep inside /wp-includes/, /wp-content/uploads/, or disguised as legitimate plugin files
• Modify your .htaccess file to create URL rewrite rules that serve spam content for specific URL patterns
• Generate a sitemap containing thousands of spam URLs and submit it to Google Search Console (if they also gained Search Console access through a verification file or meta tag)

Stage 3: Cloaking — why you cannot see it

This is the key to the hack's longevity. The injected code checks who is making the request before deciding what to show:

• If the visitor is a search engine crawler (identified by user agent string) — serve the Japanese spam content
• If the visitor is a logged-in WordPress admin — serve the normal page, as if nothing is wrong
• If the visitor is a regular user — sometimes serve a redirect to a spam store, sometimes serve the normal page

This cloaking means you can browse your entire site, logged in as admin, and see nothing unusual. Your pages look normal. Your posts look normal. The spam content only appears when Google's crawler visits — which is exactly why it ends up in search results but not in your browser.

The attackers know that most WordPress site owners never search site:theirdomain.com on Google. They know most site owners do not regularly check Google Search Console. And they know that by the time the hack is discovered, it has often been running for weeks or months.

The real damage: it is not just spam pages

The visible damage is thousands of spam pages indexed under your domain. But the deeper damage is to your domain's reputation.

Google penalises your entire domain. When Google detects spam content on your site — and it will eventually — it can apply a manual action that suppresses all of your pages in search results. Not just the spam pages. Your legitimate blog posts, your product pages, your homepage — everything drops. Recovering from a manual action takes weeks even after you have cleaned the hack and submitted a reconsideration request.

Your brand reputation takes a hit. A potential customer searches your business name and sees Japanese spam in the results alongside your real pages. They do not know what a Japanese keyword hack is. They just think your site is dodgy, unprofessional, or compromised. And they are right about the last part.

Backdoors persist after cleaning. The attacker almost certainly installed multiple backdoors. If you clean the visible spam but miss a single backdoor file, they get back in within days and the whole cycle starts again. This is why thorough cleaning is critical, and why monitoring for reinfection is just as important as the initial cleanup.

How to check if your site is infected right now

Google site: search

Open Google and search for site:yourdomain.com. Look through all the results. If you see pages with Japanese characters (or any language you do not publish in), your site is compromised. Also try site:yourdomain.com intitle:cheap or site:yourdomain.com intitle:buy — common words used in the spam pages.

Google Search Console

Log into Google Search Console and check: the Coverage report for a sudden spike in indexed pages, the Performance report for impressions on queries you did not target (especially Japanese queries), the Security Issues section for any manual actions or detected hacks, and the Sitemaps section for sitemaps you did not submit.

File system inspection

Connect via SSH or FTP and look for recently modified files. Run find /path/to/wordpress -name "*.php" -mtime -7 to find PHP files modified in the last seven days. Look for files with suspicious names in /wp-includes/ and /wp-content/uploads/. Open suspicious files and search for base64_decode, eval(, gzinflate, and str_rot13 — these are common obfuscation techniques used in malware.

Check your .htaccess

Download your .htaccess file and review it line by line. The hack typically adds rewrite rules that intercept requests from search engine crawlers and serve spam content. If you see rules referencing user agents like Googlebot, or conditions that check the HTTP referer for search engine domains, those are almost certainly part of the hack.

How to clean the Japanese keyword hack

Cleaning this hack requires thoroughness. Miss one backdoor and the attacker returns within days. Follow every step.

Step 1: Take a full backup first

Before you change anything, back up your entire site — files and database. If something goes wrong during cleaning, you need to be able to restore. Store the backup off-server.

Step 2: Remove unknown admin users

Go to Users in wp-admin and look for any admin accounts you do not recognise. The attacker often creates an account with a normal-looking username. Delete any user you did not create. Also check the database directly — query the wp_users and wp_usermeta tables for users with the administrator role.

Step 3: Remove backdoor files

Search your file system for recently modified or suspicious PHP files. Common locations for backdoors include /wp-includes/ (look for files that do not belong in a standard WordPress installation), /wp-content/uploads/ (PHP files should never be in the uploads directory), and inside plugin directories (extra files that are not part of the original plugin). Delete or replace any modified core files with fresh copies from wordpress.org.

Step 4: Clean your .htaccess

Replace your .htaccess with the default WordPress rules. If you had custom rules (caching, security, redirects), add them back one at a time, verifying each one is legitimate.

Step 5: Reset all credentials

Change every password: WordPress admin password, FTP password, database password (and update wp-config.php to match), hosting control panel password. Generate new WordPress security salts from the WordPress salt generator and replace the old ones in wp-config.php. This invalidates all existing sessions.

Step 6: Update everything

Update WordPress core, all plugins, and all themes to the latest versions. Delete any plugins or themes you are not actively using — they are attack surface with no benefit.

Step 7: Clean up in Google Search Console

Submit a clean sitemap. Use the URL Removal tool to request removal of the spam URLs. If you have a manual action, submit a reconsideration request explaining what you found and what you did to fix it. Google's review can take days to weeks. Refer to the Google hacked site documentation for the full reconsideration process.

Step 8: Harden your site

Install a reputable security plugin (Wordfence or Sucuri). Enable two-factor authentication for all admin accounts. Disable the WordPress file editor. Set correct file permissions. Consider a web application firewall. These measures do not just protect against reinfection — they prevent the initial compromise from happening again.

How Uptrue keyword monitoring detects the hack

The Japanese keyword hack is designed to be invisible to site owners. But Uptrue's keyword monitoring can catch the signs that human eyes miss.

Step 1: Monitor for unexpected Japanese characters

1. Sign up at uptrue.io/signup (free plan available)
2. Click Add Monitor from your dashboard
3. Select Keyword as the monitor type
4. Enter your homepage URL
5. Set the keyword to common Japanese characters that should never appear on your English-language site
6. Set the check type to "Page must NOT contain"
7. Set the check interval to 1 minute
8. Configure alerts — Slack, email, or Microsoft Teams

While the hack uses cloaking to hide from admins, cloaking is not perfect. It can fail, show partial content to non-crawlers, or leak spam content into page elements like meta tags, sitemaps, or JavaScript-rendered sections. When it does, keyword monitoring catches it.

Step 2: Monitor your expected content is intact

1. Add another Keyword monitor for your homepage
2. Set the keyword to your site name, tagline, or a phrase that always appears on your homepage
3. Set the check type to "Page must contain"
4. Set the interval to 1 minute

If the hack modifies your homepage content, replaces your meta tags, or breaks your page in any way, this monitor detects the change. It is a safety net that catches not just the Japanese keyword hack but any form of content injection or defacement.

Step 3: Monitor multiple pages across your site

The hack typically creates new URLs rather than modifying existing ones, but it can also inject content into existing pages — especially through modified theme files or plugin output. Monitor your most important pages:

• Homepage
• Top landing pages by organic traffic
• Contact and conversion pages
• Blog post pages

Step 4: Set up alerts that wake you up

The Japanese keyword hack does its damage over time. Every day it runs, more spam pages get indexed and your domain reputation degrades further. Fast detection means fast cleanup means less long-term damage.

• Slack — instant alert in a dedicated security channel
• Microsoft Teams — immediate visibility for your team
• Email — backup notification with a written record
• Webhook — trigger automated incident response workflows

Preventing the Japanese keyword hack

Keep everything updated

The number one entry point is vulnerable plugins. Update WordPress core, plugins, and themes the day updates are available. Enable auto-updates for minor releases. Delete any plugin or theme you are not actively using.

Use strong, unique passwords

Every WordPress admin account should have a password that is at least 16 characters, randomly generated, and unique to that site. Use a password manager. Never reuse a password across sites.

Enable two-factor authentication

Even if an attacker gets your password, two-factor authentication stops them from logging in. This one measure prevents the majority of credential-based attacks.

Never install nulled themes or plugins

Nulled (pirated) premium themes and plugins are the easiest way for an attacker to get a backdoor onto your site. The theme works as advertised — but it also phones home to the attacker. Only install plugins and themes from the official WordPress plugin directory or directly from the developer's verified website.

Regularly check Google Search Console

Make it a weekly habit to check your Search Console for unexpected pages, unusual traffic spikes from countries you do not target, and any security notifications. This is your early warning system for SEO-based attacks.

Your site might be hacked right now and you would not know

That is the entire point of the Japanese keyword hack. It is built to be invisible from wp-admin. It cloaks its content from logged-in users. It targets search engines, not your visitors. By the time you notice — by the time a customer says "I searched your brand name and saw Japanese text" — the hack has been running for weeks and Google has already started penalising your domain.

Uptrue monitors your pages from the outside, the way search engines and visitors see them. If unexpected content appears — Japanese characters, spam keywords, anything that should not be on your English-language site — you know in under a minute. Not in weeks. Not when a customer tells you. In under a minute.

Frequently asked questions