It sounds like your client’s site has fallen victim to a Japanese Keyword Hack. This is a common and aggressive SEO spam attack where thousands of pages of auto-generated Japanese text (often promoting counterfeit goods or gambling) are injected into the site. Because these pages are designed to be seen by search engine bots rather than human users (cloaking), they often go unnoticed until bandwidth spikes or search rankings plummet.

Since the site is hosted on Virtualmin (Debian 12), you have full root access, which makes the cleanup much more effective than on shared hosting.

Here is a comprehensive plan to sanitize the WordPress installation and harden the server.

---

Cleaning the Japanese SEO Spam Malware: A Step-by-Step Guide

1. Pre-Cleanup Preparation

Before touching the code, ensure you have a “safety net.”

• Full Backup: Use Virtualmin’s backup feature to create a snapshot of the virtual server (Files + Database).

• Go Offline: Install a “Maintenance Mode” plugin or use an .htaccess rule to redirect traffic. This prevents the malware from potentially executing further scripts while you work.

2. Identify the Entry Point

The “SEO specialist” the client hired likely had admin credentials or FTP access.

• Check Users: In the WordPress Dashboard, look for unrecognized Administrator accounts.

• Virtualmin Logs: Check the access logs at /var/log/virtualmin/domain.com_access_log. Look for suspicious POST requests to unknown .php files or unusual activity from foreign IP addresses around the time the “specialist” was active.

3. Core WordPress Reinstallation

Malware often modifies core WordPress files. The cleanest way to fix this is to replace them entirely.

1. Connect via SSH or use the Virtualmin File Manager.

2. Delete the wp-admin and wp-includes directories.

3. Delete all .php files in the root directory (except wp-config.php).

4. Download a fresh copy of WordPress from WordPress.org and upload the new wp-admin, wp-includes, and root .php files.

4. Sanitizing the wp-content Folder

This is where the malware usually hides.

• Plugins: Delete the entire /wp-content/plugins/ directory and reinstall them from the WordPress repository. Do not “update” them; delete and replace.

• Themes: If using a stock theme, delete and reinstall. If it’s a custom theme, manually inspect the functions.php and header/footer files for base64 encoded strings or eval() functions.

• Uploads: Check /wp-content/uploads/. There should be no .php files here. Use the terminal to find them:

  Bash

  find /home/linuxusername/public_html/wp-content/uploads -name "*.php"
  

  If any appear, delete them immediately.

5. Cleaning the .htaccess and index.php

Japanese SEO spam heavily relies on the .htaccess file to rewrite URLs for the fake pages.

• Open your .htaccess file. If you see complex rules redirecting to strange files, delete them. Revert to the standard WordPress .htaccess.

• Check the root index.php. It should only contain the standard WordPress bootstrap code.

6. Database Sanitization

The “Japanese keywords” are often stored in the wp_posts table or injected into the wp_options table.

• Log into phpMyAdmin or use the Virtualmin database tool.

• Search the wp_posts table for Japanese characters or titles related to the spam keywords.

• Check the wp_options table for siteurl or home changes.

7. Virtualmin/Debian Level Hardening

Since you are on Debian 12, take advantage of system-level security:

• Update System: Ensure Debian is patched: apt update && apt upgrade.

• Change All Credentials: Change the Virtualmin user password, the MySQL database password (update wp-config.php accordingly), and all WordPress admin passwords.

• Permissions: Ensure files are owned by the Virtualmin user and permissions are set correctly (644 for files, 755 for directories).

  Bash

  chown -R linuxusername:linuxusername /home/linuxusername/public_html
  

8. Handling Search Engine Results

Even after the site is clean, Google may still have thousands of Japanese pages indexed.

1. Google Search Console: Register the site immediately.

2. Sitemap: Generate a new, clean XML sitemap and submit it.

3. Removals Tool: Use the “Removals” tool in Search Console to temporarily hide the spam URLs.

4. 404 Errors: The spam URLs will now lead to 404 pages. This is good. Eventually, Google will see the pages are gone and drop them from the index.

9. Ongoing Protection

• Install a Security Plugin: Wordfence or Sucuri’s plugin can provide a firewall and scheduled scanning.

• Disable File Editing: Add define( 'DISALLOW_FILE_EDIT', true ); to your wp-config.php to prevent even admins from editing code through the dashboard.

• Fail2Ban: Ensure Fail2Ban is active in Virtualmin to block brute-force attempts on SSH and WordPress logins.

Summary: You are essentially performing a “surgical replacement.” By replacing the core, plugins, and themes while auditing the uploads and .htaccess, you remove the malware’s ability to run. The rest is simply convincing Google that the “new” site is the legitimate one.