If your traffic fell off a cliff and Google suddenly shows pages of Japanese text under your domain, you have the Japanese keyword hack — one of the most common and most profitable WordPress compromises. It's confusing because the symptom lives in Google's index, not on your home page. Here is what's actually happening.

What it is

An attacker uses a foothold in your site to generate thousands of synthetic pages — usually selling counterfeit goods — stuffed with Japanese keywords. They don't replace your content; they add a parallel set of pages that ride on your domain's existing authority. To Google, your trusted domain is now also publishing a store full of fake-brand sneakers.

Why you can't see it

This is the part that makes owners doubt themselves. The injected pages are cloaked: the malicious code checks who is asking.

  • If the request looks like Googlebot, it serves the spam page.
  • If the request looks like a normal visitor — you, on your own site — it serves your real content.

So you visit your site, everything looks fine, and you assume the warning is a mistake. Meanwhile Google is indexing a different version of your site entirely. The quickest way to see what Google sees is a site:yourdomain.com search, or fetching a page with a Googlebot user-agent.

How it persists

A one-time injection would be easy to clean. This isn't that. The persistence usually lives in several places at once:

  • Injected rows in the database (wp_posts, or autoloaded wp_options).
  • A modified or rogue file in the theme or wp-content/uploads/.
  • Rewrite rules in .htaccess that route crawler traffic to the spam.
  • Sometimes a fake admin user or a cron job that re-creates everything after you delete it.

Clean only the files and the database rows come back. Clean only the database and the loader file regenerates them. This is why "I deleted the spam pages and they returned" is the single most common thing owners tell me.

How it's removed properly

A real cleanup is four jobs, in order:

  1. Find the entry vector — almost always a vulnerable plugin or a stolen credential. If you skip this, you reinfect.
  2. Remove the persistence — every injected file, database row, cron job, rogue admin, and .htaccess rule, not just the visible pages.
  3. Harden so the same hole can't be reused — update or remove the vulnerable component, rotate credentials, restrict PHP execution in uploads. My hardening checklist covers the specifics.
  4. Ask Google to re-index — once the spam is gone, the cloaked pages need to fall out of the index. A clean fetch and a re-indexing request speed that up; the timeline is Google's to set.

If you'd rather not chase it

The Japanese keyword hack is fiddly precisely because it hides and regenerates. If you want it handled end-to-end — entry vector closed, persistence removed, written report — that's exactly what Japanese SEO spam removal covers. Not sure it's even the right diagnosis? Run the triage checklist first.