We will explain about Japanese SEO Spam, which is a malware that embeds fake Japanese product sites in WordPress.
Unrecognizable Japanese product sites in search results
If your WordPress site’s domain name is being searched for a large number of Japanese e-commerce sites that you do not remember uploading to the search results, it is possible that your site has been tampered with.
This fake Japanese product page is called Japanese SEO Spam, and it is a very common type of malware today.
Why and how are sites being defaced?
60% of the causes of WordPress sites being defaced and embedding pages like the above are vulnerabilities in old WordPress plugins that have not been updated for a long time.
20% of the time, the administrator’s password is vulnerable and the site is defaced by someone hijacking the administrator’s privileges.
The vulnerabilities of WordPress plug-ins are
Free WordPress:Malware Scanning & Security Plug-in [Malware and Virus Detection and Removal]
You can check the vulnerability of WordPress plug-ins at
Japanese SEO Spam is often embedded in your site with code like the following
@include(/var/www/************/.*****.log)
The *** part indicates the path on the server
The file extension may be .log, .mo, .jpg, .gif, etc., but this file contains the body of malicious code that outputs fake pages of Japanese products and registers them with search engines.
Through these fake pages, hackers steal users’ credit card information or direct users to fraudulent sites.
What if I am infected with Japanese SEO Spam?
If you are infected with Japanese SEO Spam, and you see symptoms such as a large number of Japanese-language e-commerce sites that you do not remember uploading to the search results pages, you need to remove this embedded malware.
The aforementioned
@include(/var/www/************/.*****.log)
and remove the body of the malicious code that is reading and loading code such as
The loading code can be located in a variety of places, but the most commonly embedded are index.php and wp-config.php in the theme or wordpress installation directory.
WordPress sites typically contain as many as 10,000 files in total, so it can be very difficult to locate them visually.
The main body of malware code to be loaded is located at the server path /var/www/************/.*****.log.
(If it is obfuscated, you can un-obfuscate it at this site.)
Delete this malware itself as well.
However, it is often very difficult to remove malware manually, so we recommend using a malware scanning plug-in or consulting a specialist.
WordPress Vulnerability Prevention
Once the malware has been removed, the next step is to close the vulnerabilities that allowed the site to be defaced. (Otherwise, the same vulnerability could be exploited and the same malware could be embedded again.)
Please refer to the article below for the most basic security measures.
