Japanese Spam on a Cleaned WordPress Site: The Hidden Sitemap Problem

  • January 15, 2025
Japanese spam on a cleaned WordPress site

While investigating a compromised WordPress site, we discovered a malware infection causing Japanese spam links to appear in Google search results. Although the site had been cleaned, Google was still crawling and indexing spammy URLs, which impacted the site’s SEO and credibility.

Japanese SEO Spam: A Common Threat

Japanese SEO spam is a recurring issue that compromises websites to display spammy content in search engine results. Attackers often inject malicious URLs or sitemaps into a site’s infrastructure to manipulate its search rankings. We’ve covered similar cases in the past, including How to Find and Fix Japanese SEO Spam, which outlines the broader impact of such attacks.

Japanese SEO spam

The Problem: Japanese Spam URLs Persisting

The site owner initially reported an influx of spam links showing in Google search results, even though the site displayed no visible spam content. The Google Search Console (GSC) was reporting an increasing number of spam URLs in the format:

domainname/?m=XXXXXXXXX

These URLs were indexed as Japanese spam results, misleading users and harming the site’s reputation. Here, XXXXXXXXX is a random string of numbers used to generate unique spam URLs. Attempts to access these spam URLs returned 404 errors, they were still being crawled and indexed by Google, creating an SEO issue for the site owner.

Discovery and Investigation

Since the site continued indexing spam URLs, even after cleaning Google Search Console, this indicated that either there is something cached or the malicious URLs still exist somewhere. During our investigation, we discovered a file named spamurl.txt in the root directory. This file was configured as a sitemap in GSC, prompting Google to crawl over 3,000 spam URLs. The number of indexed spam URLs continued to rise in GSC, signaling that the sitemap was actively enabling the spam campaign.

crawled spam URLs

The content in the spamurl.txt file looked like this:

spamurl file contents

Mitigating the Spam

Removing the Spam File: We identified and deleted the spamurl.txt file from the site’s root directory. This immediately stopped Google from crawling the malicious URLs listed in the file.

Updating Sitemap Settings: The file was also removed from the GSC sitemap configuration to ensure it no longer influenced Google’s crawling behavior.

Reindexing the Site: Using the URL Inspection Tool in GSC, we submitted the site for reindexing. This helped clear the spam URLs from Google’s search index and restored the site’s SEO standing.

remove sitemap

Why Did This Happen? And Key Takeaways

  • Compromised Sitemap Management: Attackers leveraged the sitemap submission settings in GSC to inject the malicious spamurl.txt file and have Google crawl spam URLs.
  • Persistent Spam URLs: Even after the visible spam was removed, the sitemap ensured spam links remained indexed.
  • Regularly audit your sitemap files and GSC settings to identify any unauthorized additions.
  • Removing malicious files is not enough; you must update GSC settings and request reindexing to clear indexed spam results.

Even after cleaning a site, Japanese spam can persist if malicious artifacts like unauthorized sitemaps are overlooked. This case highlights how attackers can persistently affect a site’s SEO and reputation even after visible spam is removed.

By exploiting sitemaps and the Google Search Console, they manipulated the site’s indexed content, causing long-term damage.

If you suspect similar activity on your site, Sucuri’s security experts are here to help with malware removal and ongoing protection.

Prevention Tips

  • Monitor Sitemaps Regularly: Frequently review your sitemap settings in GSC to detect any unauthorized additions.
  • Secure File Permissions: Restrict write access to critical directories to prevent unauthorized files from being uploaded.
  • Use a Web Application Firewall (WAF): Deploying a WAF can block malicious traffic and prevent attackers from exploiting vulnerabilities in your site.
  • Perform Routine Security Scans: Regular scans can help identify malware and suspicious files before they cause significant harm.
  • Keep Software Updated: Ensure your WordPress core, plugins, and themes are up-to-date to reduce vulnerabilities.

Additionally, ensuring Google receives 404 responses for spam URLs is critical for de-listing them, and any conflicting signals—such as a sitemap referencing these URLs—can prolong the problem.

Chat with Sucuri

Puja Srivastava is a Security Analyst with a passion for fighting new and undetected malware threats. With over 7 years of experience in the field of malware research and security, Puja has honed her skills in detecting, monitoring, and cleaning malware from websites. Her responsibilities include website malware remediation, training, cross-training and mentoring new recruits and analysts from other departments, and handling escalations. Outside of work, Puja enjoys exploring new places and cuisines, experimenting with new recipes in the kitchen, and playing chess.

Related Tags
Related Categories
You May Also Like