The first clue of being attacked by the Japanese keyword hack lies in its name itself – the appearance of Japanese words on your site for no apparent reason. The main purpose of this hack is to create multiple new pages with autogenerated Japanese text on your site, in the form of external links visible through randomly generated directory names.
How does it go about?
The hacker basically uses your site as a medium to direct your site traffic to sites filled with affiliate links to online stores selling fake brand merchandise and earn money from this. In the process, your site’s purpose and customers’ trust are compromised.
The detailed strategy followed by the hacker includes adding themselves as property owners on the Google Search Console and tampering with the site’s settings such as sitemaps and geotargeting. Usually, you receive a notification indicating that someone has modified your settings and verified your site with the Search Console – that’s a strong indicator that you have been hacked.
Your initial steps
- Check the ‘Security Issues’ tab under the Search Console to see if Google has detected the presence of the hack on your site or any specific sites.
- Otherwise, you can discover sites like these by using the Google Search window to type in ‘site:_your site URL_’, which is the root level URL of the site. This step will show you if Google has indexed any pages of your site, including the pages that may include the hack. You’ll most likely see web pages infected with the Japanese keyword hack. Go through a couple of web pages to verify the hack.
- If the second tactic doesn’t deliver results, you can use the same search terms in a different search engine.
If you click the link of a hacked page, the usual result is to get redirected to another site or to a page filled with meaningless content. You may also see a warning screen with the ‘Error 404’ message displayed or that the page doesn’t exist. However, this may not always be a reality since hackers use this common trick to fool you into thinking that the site is actually gone or it’s fixed and functioning – this is called ‘cloaking content’.
To check for cloaking, put in your site’s URL in the ‘Inspect URL’ tool which will remove the effect and show you the hidden content.
All of these issues point towards your site being hacked.
What can you do to fix this hack?
Your first step in any situation like this should be to make offline copies of the site before removing them, which helps later for restoration purposes. The ideal solution is to back up the entire site before proceeding further. Save the files in a location that is off your server or spend some time searching for the best backup options for the particular content management system (CMS) that you use. In the case of CMS, also remember to back up the database as well.
- Removing new accounts from the Search Console
In case there are new users added to the Search Console that you are not able to recognize, remove their access privileges quickly. In case you need confirmation for the number of verified users for your site, you can always check the ‘Search Console verification page’ – it’ll be given under ‘Verification details’ of the site.
For removing the user, you will need to also get rid of the associated verification token (mostly an HTML file on the root of your site or a dynamically generated ‘.htaccess’ file to appear as an HTML file). In case you’re unable to find this, you need to look out for a ‘rewrite’ rule in your ‘.htaccess’ file.
- Check the ‘.htaccess’ file
Hackers also misuse the ‘.htaccess’ file rules for redirecting unknowing users to spam websites or creating pages filled with gibberish (like randomly generated Japanese keywords). If you don’t have custom rules for the ‘.htaccess’ file, it is better you replace it with a clean copy.
Search for the location of the file on your respective CMS and make a note of the locations, then replace them with clean or default copies. If you have a single ‘.htaccess’ file, you can always find the default version easily. For those with multiple files, each one needs to be replaced with a clean version.
- Remove malicious files
Here, you can delete and replace all core files that come under the default distribution and any themes, plugins or extensions you may have added. Make sure to check the sitemap file for suspicious links and suspicious PHP files that may have been recently modified.
If these steps have worked, you will be able to follow the steps given initially to check for the hack You can also follow this extensive Japanese keyword hack removal guide to remove the hack completely from your website.