In recent years, an increasing number of websites have been affected by Japanese keyword hacking attacks. The consequences can be severe, often resulting in significant loss of rankings, traffic drops, and serious indexing issues which can ultimately cripple your website!
So if this happens to you, in this article you’ll get all the necessary information and advice to recover from a “Japanese Keyword Hack”, also known as “Japanese Search Spam” or “Japanese Symbol Spam” attack.
What is a Japanese Keyword Hack?
Known as the Japanese Keyword Hack, this type of attack is so named because it uses Japanese script and is primarily conducted by hackers from Japan.
It involves the automatic creation of Japanese text that is then automatically published on your website, usually exploiting a vulnerability in your CMS, often WordPress, but not exclusively.
But what’s the point?
Hackers use this blackhat SEO technique to manipulate Google search results, to index automatically created content, and importantly, to transfer link juice from your compromised website to another that will receive links. Sometimes the links are merely meant to redirect to affiliate links for often illegal or counterfeit products.
Identifying this Type of Hacking
After learning about the Japanese Keyword Hack, you might be wondering how to tell if your website has been attacked. First off, don’t worry too much, as it’s not too complicated. I’ll explain everything you need to know to detect such an attack in the following sections!
Website Technique
The simplest and often most effective method is to use the ‘site:my-website-domain.com’ command. This command simply shows the number of pages indexed on Google. If your website is affected by a Japanese Keyword Hack, you may find a significantly higher number of indexed pages than usual. It’s not uncommon for a website to have tens or even hundreds of thousands of pages indexed due to a Japanese Keyword Hack.
Analysis on Google Search Console
By accessing the Search Console for your website either directly from the dashboard or by visiting the Coverage tab, you’ll notice a significant increase in the number of indexed pages in just a few days.
If this is the case, assess which types of pages are increasingly being crawled by Google and if you spot any suspicious pages, don’t hesitate to delete them. The pages created by this type of keyword hacking are usually easy to identify due to common footprints (URL structures, specific directories, extensions in the URL, etc.).
Receiving Suspicious Emails
You may receive suspicious emails indicating that a new property has been added to your Search Console, or that there is a new owner.
Be Wary of Cloaked Content
Indeed, some attacks are more sophisticated than others. For instance, when you visit an address targeted by a Japanese Keyword Hack, you might see an error message indicating that the content no longer exists (e.g., via a 404). This might be a cloaking action, which makes the content invisible to users, but not to Google. To detect them, you can use the Google Search Console and enter the URL in the “Inspect any URL” bar.
Resolving a Japanese Keyword Hack and Patching Vulnerabilities
Before you start taking action to combat the Japanese keyword hack, you should first backup your original website database and FTP files, as some actions might harm your website.
Remove Hacked Accounts on GSC
If you see a new account has been added to Google Search Console, whether through the console or an email, it is crucial to revoke access as soon as possible to prevent it from being used to index hacked pages.
To verify and remove users:
- Go to a GSC, ensure you have owner or administrator rights to make changes.
- Click on Settings on the bottom left.
- Click “Users and permissions”.
- You will then be able to delete or check users who have access to your Google Search Console.
- If an added account is a verified owner, this means they were added using a token, for example, an HTML file added to the root or a .htaccess file with a rewrite rule. It is therefore necessary to remove this token to delete the user.
Analyze Your Server’s HTACCESS File
The .htaccess file is one of the main targets during an attack, so it’s crucial to ensure there are no issues with it. Hackers may use it to redirect pages or create specific rules.
You need to connect to your FTP to locate it at the root. The best approach is to start with a clean version that was in your database. Otherwise, manually analyze the code and make modifications if there are issues.
Delete Malicious Files and Scripts
You need to check your hosting for any malicious files or scripts that could re-infect your website and make it vulnerable to a Japanese Keyword Hack once again.
Before taking action, it’s advisable to back up your database and hosting to avoid any issues.
Possible actions include:
- Review the different files in your FTP and see if any appear suspicious. Identify them by seeing if they have a suspicious name or if the modification date matches the date of the hack. Then, you can analyze them in detail and delete them if compromised.
- You can also use analysis tools to detect malicious files like the “Virus Scanner” in cPanel, then delete them.
- Ensure your sitemaps are checked as they often get hacked; delete any that are compromised.
- If you use a CMS, you can simply reinstall your core files, but be careful as you might lose customisations on your website.
Rollback to a Pre-Attack Backup
If you already have a backup system in place, or if your hosting provider has one, it’s often best to perform a backup before the date of the hack, which will avoid all the cleanup and investigation work.
However, it is then essential to secure your website immediately, otherwise, you risk being hacked in the same way shortly thereafter.
Ensure that the Hacked Files No Longer Exist
After cleaning up your website, it’s important to ensure that you are no longer susceptible to Japanese Keyword Hacking. The easiest way is to:
- Check the hacked URLs to see if they still display a code 200; they should return a code 404 or 410 (the page does not exist, content not found, etc.). If so, you’re on the right track.
- You can also check via Google Search Console in the Coverage tab to see if any malicious URLs remain and then how they respond.
- As with the Google site command: domain.com, see if such URLs appear.
Be aware, even after deleting content created by hacking, it will remain in Google’s index for several weeks to several months, so fully resolving a Japanese Keyword Hack can take a long time. To expedite the deindexing of hacked pages by Google, you should:
- Opt for a 410 over a 404, as Google will remove the content from the index more quickly.
- Submit a sitemap to Google with all the URLs to be deindexed.
- Use Google’s temporary removal tool to accelerate the deindexing of the pages from the index.
How to Prevent a Japanese Keyword Hack?
Your website has been attacked and you do not want a Japanese Keyword Hack to happen again, or you simply want to secure it before suffering such an attack? Here are some rules that should greatly reduce the risks.
Keep your CMS Updated
If you use a CMS (WordPress, Magento, Prestashop, etc.), it’s vital to keep up with updates, as they often fix security vulnerabilities and thus prevent a Japanese Keyword Hack. So, it is necessary to update within days or weeks following the release if technically feasible.
Before the update, do not forget to back up your website.
Be Careful With Third-Party Plugins and Themes
For the plugins and themes that you can install on your website (especially on WordPress), there are two important points to consider:
- Like the CMS, regularly update your website’s extensions and themes.
- Do not download themes and extensions from unsafe sources. Several large platforms exist where you can find WordPress themes and extensions, for example, so it’s best to use these.
Set Up a Firewall on your Website.
To avoid any risk of new attacks by Japanese Keyword Hacking, simply install a firewall on your website. These help block certain attacks, check for suspicious connections, scan your website, and more.
On mainstream CMS platforms, there are several options, such as Wordfence Security or All In One WP Security & Firewall on WordPress.
Secure your credentials
Regularly change the passwords for your CMS, FTP, or database access. Create long, secure passwords and, if possible, implement two-factor authentication to avoid becoming a victim of a Japanese Keyword Hack.
SEO consequences of a Japanese Keyword Hack?
If your website undergoes a Japanese Keyword Hack, what will be the consequences for its natural search ranking? I will answer this question below and present two cases of websites that have been attacked by a Japanese Keyword Hack.
Significant traffic losses, but not always
When your website is hacked, there is usually a major impact on traffic, and this happens quite rapidly, simply because your website is affected by the creation of numerous low-quality pages. Here are the reasons:
- The website’s internal Page Rank is therefore very quickly diluted among the real pages of the website and the tens or hundreds of thousands of hacked pages.
- The website undergoes a de-thematisation due to the Japanese content, resulting in a significant loss of positions.
- Google will penalise the website, as it detects spammy, low-quality content. As a result, it will be very difficult to rank or index new pages.
Among the various cases of websites affected by a Japanese Keyword Hack, there are mostly significant drops in traffic, but not always.
Case #1: A significant decline
In the first case, I will present a WordPress Woocommerce website in the B2B sphere with about 600 pages indexed before the attack.
The website underwent a Japanese Keyword Hack on January 6, and traffic plummeted just a few days after the hacking with decreases of over 80 to 90% as well as a strong drop in ranking (overall, we lost 2/3 of the keywords in the top 100 in a few days and more than that in the Top 10).
The response was quick with the elimination of vulnerabilities and the created pages within a few days (the day after the Japanese Keyword Hack, the website was secured, in the following days, 410 was enforced, forcing crawl on these URLs), yet traffic recovery was quite slow. Looking at the numbers, traffic and keywords then began to recover erratically about a month and a half after the attack, with several relapses, and it took 4 to 5 months to see a better trend and stabilized traffic.
More than 6 months later, the website had returned to growth and now has good performance.
Case #2: No real impact
In the second case, we see a powerful informational website in its field with about 400 pages in Google’s index.
It underwent a Japanese Keyword Hack attack at the end of November 2021 with over 80,000 new pages indexed and was able to react within a few days by deleting all the content. The website’s traffic was almost not affected (although a slight drop is seen for a few days), nor was its ranking. However, we observe a significant increase in impressions for several weeks.
However, the website ended up ranking for more than 19,000 keywords on Google Japan and even generated some traffic.
Overall, the website almost returned to its usual traffic a month after the Japanese Keyword Hack but suffered minor consequences for almost 6 months before finding the true path to growth in June 2021.
A long-term impact
As we can see, even after quickly removing content affected by a Japanese Keyword Hack and securing its pages, the consequences can still be felt in most cases for 3 to 6 months, and if action is taken too long after the attack, the consequences may last even longer.
Interestingly, in many cases of websites that have suffered a Japanese Keyword Hack, it becomes impossible to index new content for several months, even in Case 2, where the website had few consequences but could not index new pages for about 3 to 4 months.
Why? Simply because Google temporarily blacklists the website from indexing to avoid re-indexing hacked content. Il faut donc nettoyer son index pour se faire de nouveau accepter par Google.
