Japanese keywords hack, Japanese keyword attack also known as Japanese SEO Spam, Japanese Search Spam or the Japanese Symbol Spam can be very dangerous to your website.
My own website was affected by this type of search spam that results in the appearance of hacked pages with a different page title and content.
But most of the time an administrator of the website does not know whether his/her website is under attack or not unless until Google search console notify you or you exclusively fire this simple Google query
The Google search results will display the infected pages with their content in Japanese characters.
Content Management System (CMS) based websites like WordPress, OpenCart, Drupal or Magento, when hacked, result in the creation of new spammy pages with an auto generated Japanese text.
These infected pages contain affiliate links to stores that sell counterfeit brand merchandise. The hackers generate revenue from these outbound links inserted in your website page.
Here are some simple reasons why a hacker was able to hack your website using ‘Japanese keyword attack’. This list is based on my website audit
Not Updated WordPress Core : WordPress release patches and updates to fill known vulnerabilities thus every time they push any update, it means that they know how a WordPress hacker can hack a WordPress website and ignoring that update means you are inviting.
WordPress plugin form trusted site : WordPress plugins even from WordPress repository sometimes contains bugs, so before loading any such plugin, You are requested to just check its support system and user feedback.
Directory browsing : Directory browsing allow a hacker to peep into your website for known bugs in your website specially in your plugins.
Allowed Config.php file : Since this file contains most vital information of your website Database and UserName. It must be kept in safe site all the time
Allowed infinite attempt to login : Allows brute force attack on your system
Shared FTP details
Nulled Themes : Big source to gain access of any WordPress based website
.htaccess file : Most important file to cloak spam URLs and redirect traffic to spammer site.
Readme.txt file and license.txt file exists in your website root folder
Not hidden default login URL
Not hiding your theme and Plugins
Not securing Xmlrpc.php file
Not securing your wp-register.php file
So first of all we will suggest you how you can fix Japanese keyword hack and then how you can harden your website security.
Use Google search Console to detect your hacked URLs
If you are able to locate your website under a Japanese keyword spam attack and find out the URL that has been inserted into your website using Google search console> security issue tool. The tool will verify if any of the hacked pages have been indexed by Google.
Google advice webmasters to register their websites with Search Console to receive timely notifications in case of hacking.
Fixing Japanese Keywords Hack
Before you start fixing your website, We would highly recommend you to take the following steps
Before you start fixing your website, Put your website into maintainance mode as your website will be temporarily offline. This way you can prevent your valuable readers to keep visiting your website.
Take a backup of your wp-content folder and your database using phpmyadmin or similar tools. Do not forget to take backup of your .htaccess file and wp-config.php file as these two files has utmost impact on your current website.
Steps to recover Hacked website
Here we are taking you to the safest method to recover your hacked website
Rename wp-content/plugins as wp-content/plugins-old to check whether Japanese keywords are coming through plugins or not.
Download .htaccess file and check it thoroughly as this is the first file hackers use to redirect your legitimate URL into spam sites.
Its better idea to remove everything from .htaccess file and upload on your server as most of the time .htaccess entries are created by the plugins, so you can recreate your .htaccess file when your website is clean.
Remove newly created accounts from your website as well as from Search console.
Compare wp-*.php file in your root directory from the original WordPress files and if you find any such file that has anything suspicious either remove that file or replace the same file with original Wp file
Check recently updated/modified files
Check your website sitemap
Run a malware scan
Sometimes even the listed method does not help you to remove garbage pages from your website as hacker insert some wp lookalike files in your wp-admin and wp-include folder and call these files when required.
Both wp-admin and wp-include folders contain thousands of PHP files and it’s almost impossible to manually scan such files in your system. So it’s better to replace whole folders from your original WordPress directory.
Now check your website and if you are able to see your original website still do not think you are not under attack. It might be a wise step to login into cpanel or check the log of your website, in my case, a particular IP was sending thousands of queries to my site from a particular IP so we hack to block that IP from .htaccess file.
What Next after fixing Japanese Keyword Spam
Since Google was able to index all gibberish URL from your website and marked your website as a spam site so here is some steps that you must follow.
Update your website CMS immediately
Update all pending themes and Plugins
Generate a New sitemap of your website.
Submit this sitemap to Google and other search engines immediately.
Mark all gibberish URL as spam and ask Big Brother to remove all such URLs.
As Japanese Keyword Spam attack generate millions of URL on your website it’s not possible to recover all of them within hours, you have to wait for at-least 15 days before submitting your request for revoking manual penalty.
How to harden WordPress website security
We have already listed some reason why my site was hacked so here are the steps you can take to harden your website security.
Restrict Directory browsing
Just put the following Google dork to check how many websites are vulnerable to directory browsing.
This simple Google dork will show you millions of site that is revealing their contents. Now check your own website using
Still not sure about your website, just type the following in your browser’s address bar
if something appears on your screen then you need to fix this issue immediately. Here we have two methods to fix this issue.
Using .htaccess file to prevent directory browsing
Put the following code inside your .htaccess file
Using robots.txt file to prevent directory browsing
Open your existing robots.txt file and add the following lines at the bottom
Securing wp-config.php file
Wp-config.php is one the most important file of the WP installation. It acts as a bridge between the WP file system and the MySQL database. Wp-config.php contains the database connection credentials, security keys, database preix, the default language for your admin panel.
wp-config.php file can be required using the same .htaccess file. Copy and paste the following code in your .htaccess file. This will deny access to wp-config.php file
deny from all
Limit Login attempt to prevent Brute Force attack
Restrict login attempt on your website and also rename your main wp-login.php file so that an attacker could not use brute-force attack on your website using limit login attempt plugin you can restrict login attempt based on IP address.
Rename your admin User
The easiest method to rename default super user name is – create a new superuser and delete the default superuser. That’s it.
Shared FTP details
While implementing FREEssl on my site https://binarynote.com I used automated verification instead of manual verification and supplied my ftp details on that website, AND perhaps this is first mistake I committed.
So if you are using any such service where you have options for sharing your FTP details never ever share your admin FTP details instead of that share trimmed version of your FTP account that has limited accessibility.
When people do not want to pay you for your hard work they choose nulled themes, most of the time nulled themes are used for inserting such malicious code and using that malicious code a hacker gain access your website and insert such spam pages on your website.
So before implementing any such theme, it is recommended to check such themes using theme-check plugin on your local machine first and If possible then always buy themes from original developers only.
Hiding readme.txt file and license.txt files
These two are the most ignored files on any WordPress installation. These two files have enough juice for a hacker as they contain important information about your WordPress. Just paste the following code inside your .htaccess file
deny from all
Securing .htaccess file
The .htacess file is the first target of any attacker as this is the file hackers use to generate gibberish URL, clocking affiliate link and redirect all the traffic from your to target website. .htaccess file also needs security. Copy paste the following code to secure your own .htaccess file.
deny from all
Secure all your wp php files
Just copy and paste the following code inside your .htaccess file so that nobody means nobody can access your wp files from the address bar. Copy and paste the following code inside the .htaccess file
deny from all
Hiding WordPress themes and Plugins
Services like what is my theme reveal the theme and plugins used on any WordPress website and this information is sufficient for a hacker to launch his /her hack attack.
It’s a good idea to hide all basic WordPress directories, themes, and plugins from the website’s source code. Hide my theme.
WP Hide & Security Enhancer plugin can fill all these gaps inside your WordPress website. Here is a detailed video on hiding WordPress themes and Plugins
Hide Wp-Login.php file
Wp-login.php file is responsible for taking you into the WordPress admin panel and the same is visible to your attacker so hide this very common file and redirect your login page using wps hide login plugin.
Securing Xml-rpc.php file
When communicating with other blogging systems like Blogger or Movable Type, or when posting from desktop clients or the official mobile apps, XML-RPC was, and still is, there to help. Wp rest API is not there to take control of xml-rpc with better security and control.
So if you are not using xml-rpc at all, perhaps the best thing is to remove this from your system using free plugin name Disable XML-RPC which will do the needful. Another method is open your functions.php file and paste the following code.
Rest api is only useful when you are rendering the content of the same website in any other site, if it is not then its better to remove rest api from your source code. Copy paste the following code inside your theme’s functions.php file
Since you don’t know how your hacker got access to your website, it’s better to check your website’s wp-users table as this table contains information of your website’s users. It might be a good idea to check and delete any such entry that you do not recognize at all.
Remove WordPress version from Source code
Just open your themes functions.php file and paste the following code to remove WordPress version number from source code.
remove_action( 'wp_head', 'wp_generator' );
Remove Script version from source code
Just copy paste the following code inside your theme’s functions.php file and reload your website
The Whole concept was developed by the man you are watching here. I am rakesh Kumar Serial Niche Blogger and SEO Enthusiast. find me on Google+ , facebookandon twitter.. Developed popular WordPress theme for Wallpapers and funny Image WordPress theme. Love SEO optimized WordPress theme Designing and Customization.