Imagine waking up, opening your e-commerce store, and seeing your entire frontend covered in Japanese characters. Worse, when you check Google, your brand’s search results are hijacked by thousands of fake Japanese pages selling counterfeit products.
This is exactly what happened to a WooCommerce store we recently rescued at Exvilo. They were hit by the notorious “Japanese Keyword Hack.”
But the visual damage wasn’t even the worst part. The most terrifying aspect of this attack was its persistence. The store owner had previously tried to clean the site, but no matter how many times they deleted the malicious files, the virus kept coming back the very next day.
Here is a breakdown of how this aggressive malware operates, why it keeps returning, and the exact steps we took to permanently eradicate it.
What is the Japanese Keyword Hack?
This specific malware doesn’t want to break your site; it wants to use your domain’s authority to boost its own spam sites. It generates thousands of auto-translated Japanese pages directly on your server.
When Google crawls your site, it indexes these spam pages instead of your actual products. Almost instantly, your organic traffic dies, and your customers are left confused by a broken, foreign-language storefront.
Why Did the Virus Keep Coming Back?
This is the “Whack-a-Mole” phase of malware removal. Hackers know that basic security plugins will eventually flag their bad code. To survive, they leave deeply hidden “backdoors” across the server.
During our deep-dive investigation, we found why the virus was regenerating:
- Hidden Cron Jobs: The hackers had set up malicious cron jobs (automated server tasks) that pinged an external server every night to re-download the malware if it was deleted.
- Obfuscated Backdoors: They hid tiny execution scripts inside innocent-looking core WP files and fake image uploads (
.jpg.php). If even one of these scripts is left behind, the hacker can regenerate the entire infection with a single click.
The Exvilo Cleanup Process (How We Killed It Permanently)
You cannot fix a persistent hack just from the WordPress dashboard. We had to go straight to the root server level.
1. Stopping the Bleeding: We temporarily put the site in a hard maintenance mode and cut off external server communication to stop the automated reinfections.
2. Deep Server Scrubbing: We didn’t just delete the Japanese pages. We completely purged the wp-admin and wp-includes folders, replacing them with fresh WordPress core files. We manually combed through the wp-content/uploads directory to find and delete the disguised PHP backdoors.
3. Database & Cron Job Purge: We went into phpMyAdmin to clear out the thousands of fake Japanese products and rogue spam links. More importantly, we accessed the server’s control panel and wiped the malicious cron jobs that were pulling the virus back in.
4. The SEO Recovery (301 Redirects): Deleting the malware doesn’t magically fix Google. Google still had thousands of Japanese URLs indexed. We implemented global 410 (Gone) redirect rules via the .htaccess file, telling Google to immediately drop those fake links from their search results to restore the store’s original ranking.
5. Hardening the Fortress: Finally, we rotated all database passwords, reset all WordPress salts, and installed a strict Web Application Firewall (WAF) to block the IP addresses the hackers were using.
Your Store Needs More Than Just a Free Plugin
The Japanese Keyword Hack is aggressive, and it almost always exploits an outdated plugin or weak shared hosting environments. If a virus keeps returning, it means your server is compromised at a level a basic security scan simply cannot reach.
If your WooCommerce store is acting strangely, showing weird characters, or you suspect you have a persistent infection, don’t let it ruin your SEO and customer trust.
At Exvilo, we specialize in deep-level WooCommerce malware extraction, backdoor removal, and enterprise security setups.