Japanese Keyword Hack: Remove Japanese Spam From Google
By Glenn Lyvers · Updated · 6 min read
The Japanese keyword hack is an infection where attackers generate thousands of spam pages on your site, written in Japanese and stuffed with links to counterfeit-goods stores, then get those pages indexed by Google under your domain. You usually discover it by searching for your own site and finding results full of Japanese characters for pages you never created. The site itself often looks untouched, because the spam pages are shown to Google and hidden from you.
I've cleaned this exact infection more times than I can count. It has a documented playbook, and once you know the playbook, the weird parts stop being scary. It's also one of the infections where cleanup is only half the job; the other half is getting several thousand junk URLs back out of Google's index.
What the Japanese keyword hack looks like
Search Google for site:yourdomain.com. On an infected site you'll see your normal pages mixed with results like yourdomain.com/wp-oct.php?cat=... or clean-looking directory URLs, with titles and snippets in Japanese, usually advertising brand-name bags, watches, or sneakers at suspicious prices. Click one and you may land on a spam storefront, or get bounced to another domain entirely, or see your own 404 page, because many of these pages only render for Googlebot.
Site owners often find out from a customer, or from a sudden Search Console email about a spike in indexed pages. One client came to me after noticing their little bakery site supposedly had 40,000 pages in Google. They had about 30 real ones.
Check who owns your Search Console. Seriously.
Here's the part almost nobody expects: attackers running this campaign frequently add themselves as verified owners of your property in Google Search Console. They upload a verification file or token during the break-in, and once verified they can submit spam sitemaps, monitor how well their campaign is indexing, even request changes.
Open Search Console, go to Settings, then Users and permissions, and look at every verified owner and user. If there's an account you don't recognize, remove it, and also delete the verification token that let it in, usually a google[random].html file in your web root or a stray meta tag or DNS record. If you skip the token, they just re-verify themselves next week. On several cleanups I've found the attacker's sitemap still listed in Search Console months after the site owner thought everything was fixed, quietly feeding Google fresh spam URLs.
Where the spam actually lives
The machinery is usually a few PHP files the attacker dropped in, plus rewrite rules that route made-up URLs to them. The generator script often sits in the web root or in wp-content/uploads wearing an innocent name, and it builds pages on demand. The content is cloaked: when Googlebot asks, it gets a keyword-stuffed Japanese page; when you ask, it serves a redirect or your normal 404. There's typically a spam sitemap or two as well, sometimes physical XML files, sometimes generated dynamically.
Because of the cloaking, checking pages in your browser proves very little. Use Search Console's URL Inspection tool and view the crawled page as Google saw it, or fetch pages with a Googlebot user-agent. My free site checker catches some of this from the outside, and my indicators checklist lists the file-level evidence worth collecting before you delete anything.
Cleaning it up
The removal work follows the same discipline as any serious infection. Take a full copy of files, database, and logs first. Then find and remove the generator scripts, the rogue rewrite rules in .htaccess, any spam sitemaps, and whatever backdoor the attacker left so they could come back. Compare WordPress core files against fresh copies, since this campaign loves modifying them. Then close the entry point, which in my experience is most often an outdated plugin or theme, and rotate every credential. The full process is the same one I describe in my malware removal walkthrough.
Don't stop at deleting the spam pages themselves. They're output. The generator, the rewrite rules, and the backdoor are the machine, and the machine will happily print another ten thousand pages the night after your cleanup.
Getting thousands of spam URLs out of Google
Once the site is clean, those URLs should return 404 or 410, and Google will drop them on its own, but slowly. A few things speed it up. Submit a fresh, honest sitemap. Use the Removals tool in Search Console for the ugliest patterns; a temporary removal hides them from results immediately while natural deindexing catches up. If Search Console shows a security issue or manual action, fix everything first and then request a review with a plain description of what you removed and how you closed the hole.
Expect the index cleanup to take weeks, sometimes a couple of months for very large infections. That's normal and doesn't mean the hack is still active. What would mean trouble is the indexed count creeping up again, so keep an eye on it, and consider some ongoing monitoring during the recovery window.
Does the Japanese keyword hack hurt my rankings?
While it's live, yes. Google is indexing tens of thousands of low-quality pages under your domain, your crawl budget is being spent on spam instead of your real content, and if the campaign trips a manual action for spam or cloaking, your whole site can be demoted or filtered. Some owners also see their legitimate pages drop simply because the site's overall quality signals have been diluted by forty thousand pages of counterfeit handbag text.
The recovery pattern I see is consistent: rankings stabilize soon after the cleanup, then climb back toward normal as the spam URLs fall out of the index over the following weeks. A site that was healthy before the hack nearly always gets back to where it was. What genuinely hurts is letting the infection run for months, or cleaning it badly three times, because each reinfection restarts the clock and erodes Google's trust a little more.
How it got in, and keeping it out
In the cases I've handled, the entry point is boring: a plugin or theme that hadn't been updated in a year, or occasionally a password reused from some other breached account. This campaign is fully automated, and the bots running it scan constantly for known holes. Nobody chose your site. It answered.
So prevention is boring too, and it works: update on a schedule, drop plugins you don't use, use unique passwords with two-factor on your admin accounts, and put the basics from my security best practices guide in place. After this particular hack I also recommend re-checking your Search Console owners list once a month for a while. It takes thirty seconds, and it's the one place this attacker loves to linger.
If you'd rather not fight this alone
This is one of the more tedious infections to clean properly, and the Search Console side trips people up constantly. If you want it handled, my Bulletproof Cleaning is $195 and covers the whole sequence: evidence snapshot, removal of the generator and backdoors, entry-point closure, ownership audit in Search Console, and the deindexing work afterward. Hand it to me and go run your business while the Japanese spam disappears from your results.
Common questions
What is the Japanese keyword hack?
It is a common infection where attackers generate thousands of Japanese-language spam pages on your site, promoting counterfeit goods, and get them indexed by Google under your domain. The pages are usually cloaked, meaning Google sees the spam but you see a normal site or a 404 page. The point is to steal your domain's reputation to rank their spam.
How do I know if my site has Japanese spam in Google?
Search Google for site:yourdomain.com and scan the results. Infected sites show pages with Japanese titles and snippets you never created, often at strange URLs. A sudden spike in indexed pages reported by Search Console is another giveaway. Because the pages are cloaked, visiting them in your browser often shows nothing unusual.
Why is there a stranger listed as an owner in my Search Console?
Attackers behind the Japanese keyword hack routinely verify themselves as owners of your Search Console property using a token uploaded during the break-in. It lets them submit spam sitemaps and track their campaign. Remove the unknown owner, then find and delete the verification file, meta tag, or DNS record they used, or they will simply re-verify.
How long does it take for Japanese spam pages to leave Google's index?
After a real cleanup, most of the spam URLs drop out over several weeks, and large infections can take a couple of months. You can speed it up by returning 404 or 410 for the spam URLs, submitting a clean sitemap, and using the Removals tool for the worst patterns. A rising indexed-page count after cleanup means the generator is still alive.
Can I just delete the spam pages I find?
No, because the pages are output from a generator script hidden on your server, usually paired with rewrite rules and a backdoor. Delete the visible pages and the machine prints new ones, often the same night. A proper fix removes the generator, the rewrite rules, the spam sitemaps, and the backdoor, then closes the entry point the attacker used.