How to Remove Spam URLs from Google After a Japanese Virus Hack

• 5 May 2026 |
• Isuruhe

How to Remove Spam URLs from Google After a Japanese Virus Hack

If your website has been hacked and Google is showing strange Japanese titles, fake product pages, casino links, spam URLs, or unknown pages under your domain, your site may be affected by a Japanese SEO spam hack. This type of attack can damage your SEO rankings, reduce customer trust, and make your business look unsafe online.

The good news is that this problem can be fixed. But the order matters. You should not only remove URLs from Google. First, you must clean the hacked website, remove the malware, fix the security issue, and then ask Google to remove or re-crawl the spam URLs.

Important: If the website is still infected, spam URLs can come back again even after you remove them from Google Search Console. Always clean and secure the website first.

What Is a Japanese SEO Spam Hack?

A Japanese SEO spam hack is a type of website malware attack where hackers create hidden spam pages on your website. These pages often appear in Google with Japanese text, fake product listings, strange titles, casino keywords, adult keywords, pharmaceutical terms, or random foreign-language content.

In many cases, the real website looks normal to the owner. But Google has already found and indexed thousands of hidden spam URLs. This is why many business owners only notice the problem after checking Google Search Console or searching their website on Google.

A simple Google search can show the issue:

site:yourdomain.com

Replace yourdomain.com with your real domain name. If you see strange Japanese pages, fake product pages, or spam titles, your website may be infected.

How This Hack Hurts Your SEO and Business

A Japanese virus hack is not only a technical problem. It directly affects your online presence, Google rankings, brand name, leads, sales, and customer trust.

1. Google May Index Thousands of Fake Pages

Hackers often create many spam URLs inside your website. Google may crawl and index those pages. When this happens, your clean website becomes mixed with low-quality spam content.

This can confuse Google and reduce the quality signals of your domain.

2. Your Real SEO Pages Can Lose Rankings

If Google detects hacked content, your important pages can lose visibility. Your homepage, service pages, product pages, blog posts, and local SEO pages may drop in search results.

3. Customers May Lose Trust

When a customer searches your business name and sees Japanese spam pages or dangerous website warnings, they may think your business is unsafe. This can damage your brand reputation very quickly.

4. Your Website Can Show Security Warnings

Google, browsers, and antivirus tools may show warnings such as “This site may be hacked” or “Deceptive site ahead.” These warnings can stop visitors from entering your website.

5. Crawl Budget Can Be Wasted

Instead of crawling your real business pages, Googlebot may waste time crawling thousands of spam URLs. This can slow down the indexing and ranking of your important pages.

Common Signs of Japanese SEO Spam

You may have a Japanese malware hack if you notice these signs:

• Japanese titles appearing in Google search results.
• Random spam URLs indexed under your domain.
• Fake product pages showing in Google.
• Casino, loan, adult, pharma, or shopping spam keywords.
• Unknown pages inside Google Search Console.
• Sudden SEO traffic drop.
• Google Search Console security warning.
• Website redirects to another website.
• Unknown WordPress admin users.
• Suspicious PHP files inside the uploads folder.
• Modified .htaccess file.
• Fake sitemap submitted in Search Console.

You can check your site with these Google searches:

site:yourdomain.com
site:yourdomain.com Japanese
site:yourdomain.com casino
site:yourdomain.com viagra
site:yourdomain.com loan
site:yourdomain.com product
site:yourdomain.com shop

Step-by-Step Guide to Remove Spam URLs from Google

Follow this process carefully. Do not skip the cleanup stage. Google removal tools are only useful after the hacked content has been removed from the website.

Step 1: Backup Your Website First

Before deleting anything, take a full backup of your website. This helps you recover files if something important is removed by mistake.

Backup these items:

• Website files
• WordPress database
• wp-content folder
• .htaccess file
• wp-config.php file
• Current plugin and theme list

Do not restore an old backup blindly. If the backup already contains malware, restoring it can bring the infection back.

Step 2: Check Google Search Console

Open Google Search Console and check these areas:

Google Search Console > Security Issues
Google Search Console > Pages
Google Search Console > Sitemaps
Google Search Console > Removals
Google Search Console > Settings > Users and permissions

Look for unknown users, strange sitemap files, indexed spam URLs, hacked content warnings, or security issues.

If you see an unknown verified owner, remove that user immediately after confirming your own account has full access.

Step 3: Remove Unknown WordPress Users

Go to your WordPress dashboard and check all admin users:

WordPress Dashboard > Users > All Users

Delete unknown admin users. Hackers often create hidden admin accounts so they can access the website again after cleanup.

After removing suspicious users, change passwords for:

• WordPress admin account
• Hosting account
• FTP or SFTP account
• Database user
• Google account
• Cloudflare account
• Email accounts connected to the website

Step 4: Scan the Website for Malware

Use a trusted security scanner such as Wordfence, Sucuri, MalCare, or your hosting malware scanner. For WordPress websites, Wordfence is one of the most useful tools because it can scan WordPress core files, theme files, plugin files, and suspicious code changes.

Check these common infected locations:

/wp-content/uploads/
/wp-content/cache/
/wp-content/plugins/
/wp-content/themes/
wp-config.php
.htaccess
index.php
functions.php
header.php
footer.php

Also check the WordPress database:

wp_users
wp_usermeta
wp_options
wp_posts
wp_postmeta

Step 5: Remove Suspicious Files and Backdoors

Japanese SEO spam often comes back because a hidden backdoor file remains inside the website. You need to remove both the spam pages and the hidden backdoor.

Look for suspicious code patterns such as:

eval(
base64_decode(
gzinflate(
str_rot13(
shell_exec(
passthru(
FilesMan
wp-vcd
random PHP files inside uploads folder

Be careful when deleting files. Some words can also appear inside legitimate plugin files. If you are not sure, compare the file with a clean version from the official plugin, theme, or WordPress source.

Step 6: Replace WordPress Core Files

Download a fresh copy of WordPress from the official source and replace the core files. Do not replace the wp-content folder or wp-config.php without checking first.

Usually, you can replace these safely with fresh WordPress files:

/wp-admin/
/wp-includes/
WordPress root core files

But carefully review these before editing:

/wp-content/
wp-config.php
.htaccess

Step 7: Update Plugins, Themes, and WordPress Core

Outdated plugins and themes are one of the most common reasons WordPress websites get hacked.

Update:

• WordPress core
• Active theme
• All plugins
• PHP version if your hosting uses an old version

Delete:

• Unused themes
• Unused plugins
• Nulled plugins
• Cracked premium themes
• Unknown plugin folders

Step 8: Clean the Sitemap

Check your sitemap and make sure it only contains real website pages.

https://yourdomain.com/sitemap_index.xml
https://yourdomain.com/page-sitemap.xml
https://yourdomain.com/post-sitemap.xml
https://yourdomain.com/product-sitemap.xml

If you use Rank Math or Yoast SEO, regenerate your sitemap after removing spam pages.

Then submit the clean sitemap again:

Google Search Console > Sitemaps > Submit Sitemap

Step 9: Make Spam URLs Return 404 or 410

After removing the spam pages, those URLs should return either 404 Not Found or 410 Gone.

• 404 Not Found: The page does not exist.
• 410 Gone: The page is permanently removed.

For known spam URLs, 410 is usually better because it clearly tells Google the page is permanently gone.

Do not redirect all spam URLs to your homepage. This can create soft 404 issues and confuse Google.

Example Apache .htaccess rule for one spam folder:

Redirect gone /spam-folder/
Redirect gone /fake-product/
Redirect gone /japanese-spam/

Only use this if those folders are definitely spam. Do not block real service pages or product pages.

Step 10: Use Google Search Console Removals Tool

After the website is cleaned and spam URLs are returning 404 or 410, use the Removals tool to hide urgent spam URLs from Google search results.

Google Search Console > Removals > New Request

You can remove a single URL:

https://yourdomain.com/example-spam-page/

Or remove all URLs under a spam folder prefix:

https://yourdomain.com/spam-folder/

Use prefix removal only when you are 100% sure the full folder contains spam URLs.

Step 11: Request Google Security Review

If Google Search Console shows a Security Issues warning, request a review after completing the cleanup.

Google Search Console > Security Issues > Request Review

You can use this message:

We cleaned the hacked website and removed Japanese SEO spam pages. We removed malicious files, cleaned infected WordPress files, checked the database, removed unknown admin users, cleaned the .htaccess file, updated WordPress core, updated plugins and themes, changed all passwords, enabled security protection, and submitted a clean sitemap. The website is now clean and ready for review.

Step 12: Request Indexing for Important Clean Pages

After cleanup, request indexing for your most important pages.

Google Search Console > URL Inspection > Enter URL > Request Indexing

Request indexing for:

• Homepage
• Main service pages
• Product pages
• Contact page
• Important blog posts
• Location pages

Do not request indexing for spam URLs. Spam URLs should return 404 or 410.

How to Block PHP Execution in Uploads Folder

Many WordPress malware attacks place PHP files inside the uploads folder. In most normal WordPress websites, PHP files should not run from the uploads directory.

You can create an .htaccess file inside:

/wp-content/uploads/

Then add this rule:

<FilesMatch "\.php$">
  Require all denied
</FilesMatch>

For older Apache servers, this version may be needed:

<FilesMatch "\.php$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

Important: Test your website after adding this rule. Most websites work fine, but some custom plugins may use unusual file behavior.

How to Disable File Editing in WordPress

WordPress has a built-in theme and plugin file editor. If a hacker gets admin access, they can use this editor to inject malicious code. It is safer to disable file editing.

Add this line to your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

Add it before this line:

/* That's all, stop editing! Happy publishing. */

How to Prevent Japanese SEO Spam from Happening Again

Cleaning the website is only half of the job. After cleanup, you must secure the website. If you do not fix the original weakness, hackers can attack the website again.

Use This Prevention Checklist

• Install and configure Wordfence Security.
• Enable the Wordfence firewall.
• Enable two-factor authentication for admin users.
• Use strong unique passwords.
• Remove unused admin accounts.
• Update WordPress core, plugins, and themes regularly.
• Delete unused plugins and themes.
• Never use nulled plugins or cracked themes.
• Use Cloudflare for DNS, firewall, and bot protection.
• Keep daily or weekly off-site backups.
• Block PHP execution inside uploads folder.
• Disable WordPress file editing.
• Monitor Google Search Console weekly.
• Check indexed pages using site:yourdomain.com.
• Use reliable hosting with malware scanning.

Best Tools to Remove and Prevent WordPress Malware

These tools are useful for WordPress malware cleanup, spam URL removal, and future website protection:

• Google Search Console: Check indexed spam URLs, security warnings, sitemaps, and removal requests.
• Wordfence Security: Scan WordPress files, detect malware, configure firewall rules, and improve login security.
• Cloudflare: Add DNS protection, firewall rules, bot filtering, and DDoS protection.
• Rank Math or Yoast SEO: Regenerate clean XML sitemaps after cleanup.
• UpdraftPlus, BlogVault, or hosting backups: Keep clean off-site backups.
• Sucuri SiteCheck: Run external website security checks.
• Hosting malware scanner: Check server-side infected files.

Simple Recovery Flow

Here is the simple process to follow:

Find spam URLs
↓
Backup the website
↓
Remove unknown users
↓
Scan and clean malware
↓
Remove infected files and database spam
↓
Update WordPress, plugins, and themes
↓
Remove fake sitemap files
↓
Make spam URLs return 404 or 410
↓
Submit clean sitemap
↓
Use Google Search Console Removals Tool
↓
Request Google Security Review
↓
Request indexing for important clean pages
↓
Secure the website to prevent reinfection

When Should You Get Professional Help?

You should get professional help if your website has many spam URLs, Google security warnings, unknown admin users, repeated reinfections, hidden redirects, or suspicious PHP files that you cannot safely identify.

Malware cleanup is not just deleting visible spam pages. A proper cleanup should include file scanning, database checking, backdoor removal, user access review, sitemap cleanup, Google Search Console review, and website security hardening.

Need Help Removing Japanese SEO Spam?

Zigma Solutions provides professional WordPress malware removal, hacked website repair, Japanese SEO spam cleanup, Google spam URL removal guidance, Wordfence setup, and website security hardening for small business websites.

If your website is already hacked, visit our WordPress Malware Removal Service.

If you want to protect your website before another attack, check our WordPress Security Setup with Wordfence and 1 Year Support.

Frequently Asked Questions

Can I remove spam URLs from Google without cleaning the website?

You can temporarily hide URLs using Google Search Console, but this will not fix the real problem. If the website is still infected, spam URLs can come back again. Always clean the website first.

Should I redirect spam URLs to my homepage?

No. Redirecting hacked spam URLs to the homepage is not a good solution. It can create soft 404 issues and confuse Google. It is better to make spam URLs return 404 or 410.

How long does Google take to remove spam URLs?

It depends on how many spam URLs were indexed and how often Google crawls your website. Some URLs can be hidden quickly with the Removals tool, but full cleanup from the index may take days, weeks, or sometimes longer.

Why did my WordPress website get hacked?

Common reasons include outdated plugins, outdated themes, weak passwords, nulled plugins, poor hosting security, no firewall, no two-factor authentication, and hidden vulnerabilities in old website files.

Can Japanese SEO spam hurt my business?

Yes. It can reduce Google rankings, damage customer trust, show spam pages under your brand name, reduce leads, and make your website look unsafe.

What is the best way to prevent this attack again?

Use Wordfence, Cloudflare, strong passwords, two-factor authentication, regular updates, off-site backups, malware scanning, and regular Google Search Console monitoring.

Final advice: The safest recovery method is to clean the hacked website first, make spam URLs return 404 or 410, submit a clean sitemap, use Google Search Console removals, request a security review if needed, and then harden WordPress to stop the hack from coming back.