How to Fix “Japanese Keyword Hack” in WordPress (The Hard Way)
Quick Fix: Japanese Keyword Hack (.htaccess Method)
If your WordPress site is creating thousands of spam pages, follow these steps to block the attack at the server level:
- Backup: Download a copy of your current
.htaccessfile. - Whitelist Admins: Ensure your code allows
/wp-admin/access. - Block Spam Patterns: Use Regex to identify URLs with random number strings (e.g.,
?a=123456). - Force 410 Errors: Tell Google these pages are “Gone Forever” (410) instead of “Missing” (404) to clear them from search results faster.
- Save CPU: Use a lightweight custom error message to prevent server crashes.
If you check your site on Google and see thousands of weird pages with Japanese characters selling fake products, you have been hit by the Japanese Keyword Hack.
This is a very common virus (also known as the “Japanese SEO Spam”). It creates thousands of fake links on your site to manipulate Google rankings.
Most people try to fix this with a security plugin. But plugins often crash your site because they can’t handle thousands of bots hitting you at once. They run on PHP, which consumes high server resources.
In this guide, I will show you how to block these attacks manually using a Server-Side Firewall. We will do this by editing a file called .htaccess. This blocks the bad bots before they even touch your WordPress installation.
Step 1: Why “410 Gone” is Better Than “404 Not Found”
When you delete a file, your site normally shows a 404 Error.
- 404 means: “I can’t find this page right now. Please check back later.”
- Google thinks: “Okay, maybe it was a mistake. I will keep this link in my database and check again next week.”
This is bad! You want Google to forget these spam links immediately so your SEO recovers.
That is why we use 410 Gone.
- 410 means: “This page is dead. It is removed forever. Do not come back.”
- Google thinks: “Understood. I will delete this from my database immediately.”
By using 410, you clean up your Google search results much faster.
Step 2: Saving Your Server CPU
When a bad bot visits your site, your server normally loads your theme, your logo, your menu, and your footer just to show an error page. This uses a lot of power (CPU).
If 10,000 bots hit you, your server will crash.
We can fix this by forcing the server to show a plain white screen with simple text. Add this to the top of your .htaccess file:
# 1. FORCE SIMPLE TEXT RESPONSE
# This stops your heavy theme from loading for spam bots.
ErrorDocument 410 "<h1>410 Gone</h1><p>Resource permanently removed.</p>"
Now, when we block a bot, it only gets a tiny line of text. Your server stays fast.
Step 3: The “Safe List” (Don’t Lock Yourself Out!)
Before we start blocking things, we must make sure you are safe. We don’t want to accidentally block the Admin area or the Login page.
This code says: “If the user is trying to log in or is an admin, let them pass immediately.”
<IfModule mod_rewrite.c>
RewriteEngine On
# 2. GLOBAL WHITELIST (The Safe List)
# If the URL is for Admin or Login, skip the rest of the rules [L]
RewriteCond %{REQUEST_URI} ^/wp-admin/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-login.php [NC,OR]
RewriteCond %{REQUEST_URI} ^/reset-password/ [NC]
RewriteRule .* - [L]
[L]means “Last Rule”. It tells the server: “This person is safe. Stop checking and let them in.”
Step 4: Blocking the “Bad Words”
The easiest way to stop spam is to look for obvious bad words in the URL. If a URL contains words like “casino” or “poker,” it is almost certainly spam. We can block these instantly.
# 3. BLOCK PATHS (The Bad Words Filter)
# If the browser asks for any of these words, block it.
RewriteCond %{THE_REQUEST} (casino|gambling|viagra|cialis|poker|baccarat|roulette|jackpot|porn|dating) [NC]
RewriteRule ^(.*)$ - [R=410,L]
%{THE_REQUEST}checks the raw command the browser sent to the server.[R=410]tells the server to send the “410 Gone” error we created in Step 1.
Step 5: Blocking the “Random Number” Trick
This is the smartest part of the virus. The virus often adds random numbers to your URL to make it look unique. It looks like this:
your-site.com/?a=83748293your-site.com/?x=99384721
It uses a single letter (like a or b or x) followed by many numbers. Legitimate plugins rarely do this.
We can use “Regular Expressions” (Regex) to find this pattern and kill it.
# 4. BLOCK QUERY PARAMETERS (The Pattern Killer)
# Pattern: A single letter (a-z) followed by 8 or more digits
RewriteCond %{QUERY_STRING} (^|&)[a-z]=[0-9]{8,} [NC]
RewriteRule ^(.*)$ - [R=410,L]
[a-z]means “Any letter from a to z”.[0-9]{8,}means “Any number that is 8 digits or longer.”- If a URL matches this pattern, it gets the 410 error instantly.
Step 6: Blocking Fake Folders
Finally, the Japanese spam often tries to create fake folders. Even though these folders don’t exist on your computer, the virus tricks WordPress into showing pages for them. Common fake folders are /jp/ (for Japan) or /products/.
# 5. BLOCK SPAM FOLDERS
# If the URL starts with these folders, block it.
RewriteRule ^products/([0-9]+) - [R=410,L]
RewriteRule ^pages/(.*) - [R=410,L]
RewriteRule ^jp/(.*) - [R=410,L]
RewriteRule ^(.*)\.html$ - [R=410,L]
</IfModule>
Note: The last line (.*)\.html$ blocks any URL ending in .html. Most WordPress sites do not use .html files (they use folders like /about-us/). If your site uses .html, remove that line.
Summary: The Complete Code
This firewall is powerful because it works Server-Side. Bot visits, Apache sees the pattern, serves a 410 error, and WordPress never loads. Your database stays safe and your CPU stays low.
Here is the full code block to copy into your .htaccess file:
# --- START JAPANESE HACK FIREWALL ---
ErrorDocument 410 "<h1>410 Gone</h1><p>Resource permanently removed.</p>"
<IfModule mod_rewrite.c>
RewriteEngine On
# 1. Whitelist Admins
RewriteCond %{REQUEST_URI} ^/wp-admin/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-login.php [NC,OR]
RewriteCond %{REQUEST_URI} ^/reset-password/ [NC]
RewriteRule .* - [L]
# 2. Block Bad Words
RewriteCond %{THE_REQUEST} (casino|gambling|viagra|cialis|poker|baccarat|roulette|jackpot|porn|dating) [NC]
RewriteRule ^(.*)$ - [R=410,L]
# 3. Block Query Patterns (?a=12345678)
RewriteCond %{QUERY_STRING} (^|&)[a-z]=[0-9]{8,} [NC]
RewriteRule ^(.*)$ - [R=410,L]
# 4. Block Spam Folders
RewriteRule ^products/([0-9]+) - [R=410,L]
RewriteRule ^pages/(.*) - [R=410,L]
RewriteRule ^jp/(.*) - [R=410,L]
RewriteRule ^(.*)\.html$ - [R=410,L]
</IfModule>
# --- END FIREWALL ---
Caution: Always backup your .htaccess file before editing it! One wrong character can break your site. If that happens, just restore the backup.
