×

Fix Japanese Keywords Hack In Your WordPress Site?

Japanese keywords hack, Japanese keyword attack also known as Japanese SEO Spam, Japanese Search Spam or the Japanese Symbol Spam can be very dangerous to your website.

My own website was affected by this type of search spam that results in the appearance of hacked pages with a different page title and content.

But most of the time an administrator of the website does not know whether his/her website is under attack or not  unless until Google search console  notify you or you exclusively fire this simple Google query

Site: yourDomainName.com

The Google search results will display the infected pages with their content in Japanese characters.

Wordpress-Japanese-Keyword-Hack-Search-3

Content Management System (CMS) based websites like WordPress, OpenCart, Drupal or Magento, when hacked, result in the creation of new spammy pages with an auto generated Japanese text.

Japanese Keyword Attack-3

These infected pages contain affiliate links to stores that sell counterfeit brand merchandise. The hackers generate revenue from these outbound links inserted in your website page.

Here are some simple reasons why a hacker was able to hack your website using ‘Japanese keyword attack’. This list is based on my website audit

  • Not Updated WordPress Core : WordPress release patches and updates to fill known vulnerabilities thus every time they push any update, it means that they know how a WordPress hacker can hack a WordPress website and ignoring that update means you are inviting.
  • WordPress plugin form trusted site :  WordPress plugins even from WordPress repository sometimes contains bugs, so before loading any such plugin, You are requested to just check its support system and user feedback.
  • Directory browsing : Directory browsing allow a hacker to peep into your website for known bugs in your website specially in your plugins.
  • Allowed Config.php file  : Since this file contains most vital information of your website Database and UserName. It must be kept in safe site all the time
  • Allowed infinite attempt to login : Allows brute force attack on your system
  • Shared FTP details
  • Nulled Themes : Big source to gain access of any WordPress based website
  • .htaccess file : Most important file to cloak  spam URLs and redirect traffic to spammer site.
  • Readme.txt file and license.txt file exists in your website root folder
  • Not hidden default login URL
  • Not hiding your theme and Plugins
  • Not securing Xmlrpc.php file
  • Not securing your wp-register.php file

So first of all we will suggest you how you can fix Japanese keyword hack and then how you can harden your website security.

Use Google search Console to detect your hacked URLs

If you are able to locate your website under a Japanese keyword spam attack and find out the URL that has been inserted into your website using Google search console> security issue tool. The tool will verify if any of the hacked pages have been indexed by Google.

Google advice webmasters to register their websites with Search Console to receive timely notifications in case of hacking.

japanese-seo-spam-google-search-console-security-issues

Fixing Japanese Keywords Hack

Before you start fixing your website, We would highly recommend you to take the following steps

  1. Before you start fixing your website, Put your website into maintainance mode as your website will be temporarily offline. This way you can prevent your valuable readers to keep visiting your website.
  2. Take a backup of your wp-content folder and your database using phpmyadmin or similar tools. Do not forget to take backup of your .htaccess file and wp-config.php file as these two files has utmost impact on your current website.
  3. The method suggested here need technical knowledge of PHP, Javascript or CMS of your website. It is highly suggested to take professional assistance as it require technical knowledge. If you are not sure about your CMS then consult documentation of your CMS for more information.

Steps to recover Hacked website

Here we are taking you to the safest method to recover your hacked website

  1. Rename wp-content/plugins as wp-content/plugins-old to check whether Japanese keywords are coming through plugins or not.
  2. Download .htaccess file and check it thoroughly as this is the first file hackers use to redirect your legitimate URL into spam sites.
  3. Its better idea to remove everything from .htaccess file and upload on your server as most of the time .htaccess entries are created by the plugins, so you can recreate your .htaccess file when your website is clean.
  4. Remove newly created accounts from your website as well as from Search console.
  5. Compare wp-*.php file in your root directory from the original WordPress files and if you find any such file that has anything suspicious either remove that file or replace the same file with original Wp file
  6. Check recently updated/modified files
  7. Check your website sitemap
  8. Run a malware scan

Sometimes even the listed method does not help you to remove garbage pages from your website as hacker insert some wp lookalike files in your wp-admin and wp-include folder and call these files when required.

Both wp-admin and wp-include folders contain thousands of PHP files and it’s almost impossible to manually scan such files in your system. So it’s better to replace whole folders from your original WordPress directory.

Now check your website and if you are able to see your original website still do not think you are not under attack. It might be a wise step to login into cpanel or check the log of your website, in my case, a particular IP was sending thousands of queries to my site from a particular IP so we hack to block that IP from .htaccess file.

What Next after fixing Japanese Keyword Spam

Since Google was able to index all gibberish URL from your website and marked your website as a spam site so here is some steps that you must follow.

  1. Update your website CMS immediately
  2. Update all pending themes and Plugins
  3. Generate a New sitemap of your website.
  4. Submit this sitemap to Google and other search engines immediately.
  5. Mark all gibberish URL as spam and ask Big Brother to remove all such URLs.

As Japanese Keyword Spam attack generate millions of URL on your website it’s not possible to recover all of them within hours, you have to wait for at-least 15 days before submitting your request for revoking manual penalty.

How to harden WordPress website security

We have already listed some reason why my site was hacked so here are the steps you can take to harden your website security.

Restrict Directory browsing

Just put the following Google dork to check how many websites are vulnerable to directory browsing.

Inurl:”/wp-content/plugins/”

This simple Google dork will show you millions of site that is revealing their contents. Now check your own website using

Inurl:”/up-content/plugins/”  site:yourdomainname

Still not sure about your website, just type the following in your browser’s address bar

https://yourdomain-name.com/wp-content/uploads

if something appears on your screen then you need to fix this issue immediately. Here we have two methods to fix this issue.

Using .htaccess file to prevent directory browsing

Put the following code inside your .htaccess file

Options -Indexes

Using robots.txt file to prevent directory browsing

Open your existing robots.txt file and add the following lines at the bottom

Disallow: /wp-content/*
/wp-admin/
/wp-include/

Securing wp-config.php file

Wp-config.php is one the most important file of the WP installation. It acts as a bridge between the WP file system and the MySQL database. Wp-config.php contains the database connection credentials, security keys, database preix, the default language for your admin panel.

wp-config.php file can be required using the same .htaccess file. Copy and paste the following code in your .htaccess file. This will deny access to wp-config.php file

order allow,deny
deny from all

Limit Login attempt to prevent Brute Force attack

Restrict login attempt on your website and also rename your main wp-login.php file so that an attacker could not use brute-force attack on your website using limit login attempt plugin you can restrict login attempt based on IP address.

limit_login_attempts

Rename your admin User

The easiest method to rename default super user name is – create a new superuser and delete the default superuser.  That’s it.

Shared FTP details

While implementing FREEssl on my site https://binarynote.com I used automated verification instead of manual verification and supplied my ftp details on that website, AND perhaps this is first mistake I committed.

So if you are using any such service where you have options for sharing your FTP details never ever share your admin FTP details instead of that share trimmed version of your FTP account that has limited accessibility.

Nulled Themes

When people do not want to pay you for your hard work they choose nulled themes, most of the time nulled themes are used for inserting such malicious code and using that malicious code a hacker gain access your website and insert such spam pages on your website.

So before implementing any such theme, it is recommended to check such themes using theme-check plugin on your local machine first and If possible then always buy themes from original developers only.

Hiding readme.txt file and license.txt files

These two are the most ignored files on any WordPress installation. These two files have enough juice for a hacker as they contain important information about your WordPress.  Just paste the following code inside your .htaccess file

order allow,deny
deny from all

Securing .htaccess file

The .htacess file is the first target of any attacker as this is the file hackers use to generate gibberish URL, clocking affiliate link and redirect all the traffic from your to target website. .htaccess file also needs security. Copy paste the following code to secure your own .htaccess file.

order allow,deny
deny from all
satisfy all

Secure all your wp php files

Just copy and paste the following code inside your .htaccess file so that nobody means nobody can access your wp files from the address bar. Copy and paste the following code inside the .htaccess file

order allow,deny
deny from all

Hiding WordPress themes and Plugins

Services like what is my theme reveal the theme and plugins used on any WordPress website and this information is sufficient for a hacker to launch his /her hack attack.

It’s a good idea to hide all basic WordPress directories, themes, and plugins from the website’s source code. Hide my theme.

Detect WordPress theme

WP Hide & Security Enhancer plugin can fill all these gaps inside your WordPress website. Here is a detailed video on hiding WordPress themes and Plugins

Hide Wp-Login.php file

Wp-login.php file is responsible for taking you into the WordPress admin panel and the same is visible to your attacker so hide this very common file and redirect your login page using wps hide login plugin.

hide wordpress login

Securing  Xml-rpc.php file

When communicating with other blogging systems like Blogger or Movable Type, or when posting from desktop clients or the official mobile apps, XML-RPC was, and still is, there to help. Wp rest API is not there to take control of xml-rpc with better security and control.

So if you are not using xml-rpc at all, perhaps the best thing is to remove this from your system using free plugin name Disable XML-RPC which will do the needful. Another method is open your functions.php file and paste the following code.

add_filter( 'xmlrpc_enabled', '__return_false' );

You can read more on xml-rpc on medium.com

Remove Rest API

Rest api is only useful when you are rendering the content of the same website in any other site, if it is not then its better to remove rest api from your source code. Copy paste the following code inside your theme’s functions.php file

remove_action( 'wp_head',      'rest_output_link_wp_head');

Check your website’s wp-users table:

Since you don’t know how your hacker got access to your website, it’s better to check your website’s wp-users table as this table contains information of your website’s users. It might be a good idea to check and delete any such entry that you do not recognize at all.

Remove WordPress version from Source code

Just open your themes functions.php file and paste the following code to remove WordPress version number from source code.

remove_action( 'wp_head', 'wp_generator' );

Remove Script version from source code

The following code is especially useful for removing version number of any specific Javascript library for a known vulnerability.
Just copy paste the following code inside your theme’s functions.php file and reload your website

function _remove_script_version( $src ){
$parts = explode( '?ver', $src );
return $parts[0];}
add_filter( 'script_loader_src', '_remove_script_version', 15, 1 );
add_filter( 'style_loader_src', '_remove_script_version', 15, 1 );

Bonus Tip to Harden your Website security

  1. Never ever take wordpress default Table prefix wp_ in wp_config.php if it is there then change it immediately.
  2. If you are getting too much traffic from a particular website than its better to ban that IP using .htaccess file.
  3. Change all existing UserName and Passwords of your website including Cpanel, FTP, WordPress login and other sources even your password manager’s password.

Hope this guide will help you to fix the Japanese Keyword Spam attack as well as you will make your website more secure place to visit.

Leave a Reply

Your email address will not be published.