Are you noticing some strange symptoms on your website? A sudden drop in search engine rankings? A decrease in website traffic? Are you seeing random Chinese characters, unrelated to your website’s content? There might also be unfamiliar files or directories on your server that look suspicious or malicious.
If any of that is true, we’ve got some good news and some bad news. The bad news is that your WordPress site has been hacked and the good news is that it’s fixable.
It sounds like you might be experiencing a Chinese search results spam hack on your WordPress website, and we’re sorry to hear that. This kind of hack can be really scary and frustrating for website admins like yourself. But, this article will break down the steps to fix the issue. How do you recover your site? Why did it happen in the first place? How can you prevent it from happening again? We’ll cover it all.
To remove the Chinese search results spam from your WordPress site, use MalCare malware removal. It scans and clears your site of malware in just 5 minutes, making it a fast and effective solution to the problem. Get your site back up and running quickly with MalCare.
Why are you seeing Chinese spam in your search results?
The Chinese search results spam, a type of seo spam hack that refers to a malware attack where hackers compromise a WordPress website and inject spam content or links, typically related to Chinese products or websites, into the website’s search results. This is done to manipulate search engine rankings and drive traffic to spammy websites. There are other similar hacks like the Japanese keyword hack and the pharma hack.
If you’ve been hit by the Chinese spam hack on your website, you’re probably feeling frustrated and overwhelmed.
In this article, we’ll guide you through the process of removing the hack and provide help on preventing it from coming back.
What are the symptoms of a Chinese search results spam hack?
Before you put in the effort of fixing the hack, let’s WebMD it and check out the symptoms:
Chinese characters appearing in your site’s search results
A sudden influx of spam pages, sometimes numbering in the hundreds of thousands
Hackers adding themselves to your site’s Google Search Console account to manipulate geotargeting and sitemap results, which can trigger a notification that someone has verified themselves as an owner
Security issues within your Google Search Console account
Pages being redirected to other sites from the spam pages
You may only be seeing the spam in your site’s search results. Malware is tricky and wants to hide from legitimate users and admin. So, even if you click through one of the spam results, you might land up on a perfectly normal page or see a 404.
The actual spam page may only show up if you have a specific user agent, or you’re trying from a different IP like a VPN.
The key thing to understand here is that if you don’t see one of the symptoms above, it doesn’t mean your site isn’t hacked.
How to run diagnostics on the Chinese spam attack?
If you suspect that your WordPress site has been hacked with the Chinese search results spam, the first step is to run a diagnostic scan. Fortunately, there are several methods available to help identify and remove the malware. So, starting with the easiest, here are the top three approaches to consider:
1. Use MalCare to scan for the malware
One of the most effective ways to scan for and remove malware on your WordPress site is to use a security plugin. MalCare is a popular security plugin that offers one of the most effective malware scanners and cleaners on the market. There are several reasons why we recommend it, including:
Comprehensive scanning of both the database and files of your website
Accurate detection of malware and backdoors
Minimal impact on your site’s performance during scans
Advanced algorithm for scanning that goes beyond file matching
Completely free to use
With MalCare’s strong underlying algorithm, it can detect even the most complex malware, such as the Chinese search results spam hack, while reducing the chances of false positives. So if you’re looking for a reliable and efficient way to secure your site, MalCare is the best option to consider.
2. Use an online scanner to find the malware
Another method to scan your WordPress site for malware is to use an online scanner. Popular online scanners such as Sucuri SiteCheck can detect the hack by searching for the spam code in the visible parts of your site.
However, online scanners have limitations. Because they are not installed on your site, they can’t scan all of your files or access all parts of your site.
As malware can be any part of your site, this means that some malware may go undetected, and you may need to use additional methods to fully scan your site.
3. Manually scan for the malware
The third method is to manually scan your WordPress site for malware. This is the least efficient and most error-prone means to scan a website. You need to comb through every line of code in the site files and in the database.
Malware can take many forms, so with the best will in the world, we cannot give you a template of what to look for. For instance, it can be in the form of a fake plugin or even an icon file. Other malware is split into multiple pieces and stored in various places across the site. Some of it looks harmless, but is actually manipulating cron jobs to make sure it can keep reoccurring if it is removed.
Most of all, manual malware scanning requires significant technical expertise, and most people with that level of expertise will use tools instead. As you can probably tell by this point, we do not recommend this course of action under any circumstances.
Even though scanning your site is the best form of malware detection, there are other ways to confirm that you site has been hacked:
Check the Google Search Console (GSC) users for any odd users. If you find any odd users, also check your sitemap as there might be a different one containing spam pages.
The security issues tab may have warnings for your site.
Use the URL inspection tool to check for cloaked content in case of a 404 error generated by spam pages.
Make sure your website has only one .htaccess file, as multiple files can cause redirects. This is only applicable to sites on Apache servers.
How to fix Chinese search results spam?
Okay. The reports are in. You’ve been hacked. Let’s talk about treatments now. Here are two methods to remove the Chinese search results spam from your WordPress site.
The first and most efficient method is to use a security plugin like MalCare, which offers fast and easy removal.
You can hire a malware removal service to clean your site, but these can be expensive. The good services also are usually booked up, so you may have to wait for an opening in their schedule. Please note that malware becomes worse the longer it is left on your site.
As a last resort, you can manually remove the malware, but this process can be more time-consuming and complicated. Also, with manual cleaning, the rate of reinfection is very high.
Here is a breakdown of all methods.
1. Remove malware with MalCare [recommended]
The easiest and quickest way to remove the malware is by using a security plugin like MalCare. This plugin has a top-notch malware scanner and a one-click removal tool that can quickly get rid of any malicious code.
To use MalCare’s malware removal tool, you’ll need to upgrade. Once you’ve signed up and installed the plugin, follow these steps:
Run a full scan of your website: MalCare will scan your website for malware and backdoors. This may take some time, but it’s important to make sure that all of the malicious code is detected.
Review the scan results: Once the scan is complete, review the results to see what malware was found and where it’s located.
Remove the malware: If you’ve upgraded to a plan that includes malware removal, simply click on the “Remove Malware” button to get rid of the malicious code.
Review your website: After the malware has been removed, it’s a good idea to review your website to make sure everything is working properly.
One of the main benefits of MalCare is its ability to surgically remove malware and backdoors from your WordPress website. That means, only malware is removed from your site, while everything else stays intact. No loss of data, pages, posts, users, or anything else for that matter.
MalCare doesn’t lock you out of your site or cause critical errors. This is an underrated advantage, as other security plugins will either destroy your site, make it impossible to manage, or not provide any security at all.
Additionally, MalCare detects vulnerabilities in your site and provides an integrated firewall to protect against future attacks. With MalCare, you can rest assured that your website is secure and protected from malware and other security threats.
2. Hire site maintenance services
Our first recommendation is to install MalCare, and let the plugin do the heavy lifting. But this is not always possible, you may need expert assistance. For instance, your web host has taken your site offline because of the malware—which happens more often than you’d expect.
You can either reach out to a WordPress site maintenance service, who will have expert developers on board to save your site. Alternatively, you can reach out to MalCare’s customer care and we’ll put you on the right path.
3. Manually remove the malware
If the security plugin method doesn’t work for you, or if you prefer to take control of the malware removal process yourself, then manual removal is an option. It is not a good option, but an option nevertheless.
Manual malware removal requires extensive technical knowledge and can be time-consuming. While we cannot give you specifics on what to look for, in this section, we will walk you through the step-by-step process.
Step 1: Regain access to your site
In case your web host has taken your site offline due to malware, this is your first step. Contact them and ask them to whitelist your site so that you can clean it up. This will allow you to access your site and remove any malicious code or files that may be causing the issue.
It is also a good idea to ask your hosting provider if they have a log of the type of malware that caused the blacklisting. This information can be very helpful in determining how the attack occurred and what malware to clean.
Step 2: Take a backup
Before starting any manual removal process, it’s essential to take a backup of your website. In case things go wrong during the cleaning process, you have a fallback option. We always say that an infected site is better than no site at all. In fact, if you are going to attempt to clean your site manually, do this on another backup altogether. It will save you much heartache later.
Step 3: Make a note of all plugins and themes
Next, make a list of all the plugins and themes used on your website. Especially, keep track of the version numbers. You will need this list to download fresh versions of all extensions used on your site.
Also, if your site has customisations in the code, like additions to the theme for instance, make sure to note these down too. You will need to add them back in later.
Step 4: Download the right versions of the WordPress, themes, and plugins
Once you have noted down the plugins and themes, download the latest versions of WordPress, themes, and plugins from the official repository or from the official developer websites.
Step 5: Compare the clean and affected files
After downloading the latest versions, compare their files to the files on your website to find any discrepancies. You want to search for any unusual code that wasn’t present in the original, clean installation you downloaded. In particular, pay attention to PHP scripts that look out of place or have strange content. Unfortunately, there’s no specific signature to look out for, so you need to be vigilant in your search.
To check for any signs of malware in your website’s files, there are certain files you should take a closer look at. These include the index.php, wp-config.php, wp-settings.php, wp-load.php, and .htaccess files.
The /wp-uploads folder should not have any PHP files at all. If you come across any such files, you can delete them immediately. If you’re unsure whether a file contains malicious code, you can try commenting out the code or changing the file extension to something useless like .old or .txt. This will prevent the file from running and causing any harm while you investigate further.
Step 6: Clean plugins and themes
In the /wp-content folder, you will find both plugin and theme files and folders. Take the time to go through any suspicious code and files, but keep in mind that not all differences are necessarily malicious. Customizations made to your website will also show up as differences. If you do not value these customizations, it may be easier to simply replace the entire folder.
Step 7: Remove the malware from the database
The malware can be hidden in the database as well as the files, so you need to search the database for any suspicious code or scripts and remove them.
Review the wp-posts and wp-pages tables in the database for spam pages. These spam pages could number in the hundreds of thousands, and their presence can cause severe issues. Additionally, there may be hacked redirect malware present in your website, which is significantly harder to remove, as the code will be present in several locations.
Step 8: Check your root for suspicious files
The root folder of your website, also known as the public_html folder, is where you can find WordPress core, plugins, themes, and any other files or folders that make up your website. This folder may contain malicious files that could harm your website or compromise your visitors’ data. When checking for malware on your website, it’s crucial to examine the files and folders in the root directory thoroughly.
Step 9: Remove the backdoors
Backdoors are a type of malware that can be used by hackers to gain access to a compromised website. They can be used to circumvent the login page and provide external access to your site. If you suspect that your site has been infected with malware, it is important to check for the presence of backdoors. Backdoors are also the main cause behind malware reinfections.
One way to check for backdoors is to look for specific functions in your website’s code. These functions include eval, base64_decode, gzinflate, preg_replace, and str_rot13. These functions are not typically used for legitimate purposes and can indicate the presence of a backdoor.
Removing backdoors can be a technical process, but there are tools and plugins available that can help. It is important to remove the backdoor as soon as possible to prevent further damage to your website. If you are not comfortable with removing backdoors yourself, it is best to seek the help of a professional.
Step 10: Upload clean files and database
Once you have cleaned up the website’s files and database, it’s time to upload the clean files and database to your website. You can use cPanel or an FTP client for the files. cPanel and a database manager will work for your database. They will have to be uploaded separately, like you would do in a manual backup.
Step 11: Check the plugins and themes
Now that the clean files and database are up, go through every page and make sure that your plugins and themes are working as they should.
Step 12: Remove malware from subdomains and nested WordPress sites
If your website has any subdomains or nested WordPress sites, repeat the malware removal process on those as well. This also works for staging sites. This is because malware can move between sites on the same cPanel.
Step 13: Scan the whole site once again
After cleaning up the website, it’s essential to scan the whole site using a reliable security plugin or an online scanner to ensure that there are no traces of malware left on your website.
You can probably tell that this process can be time-consuming, and there’s always a risk of missing some of the malicious code or files. Therefore using a reliable security plugin like MalCare is highly recommended for the most efficient and effective removal of malware from your website.
What to do after the hack?
Great job on fixing the hack! But are you completely in the clear yet? It’s important to take some additional steps to ensure your website remains secure. There’s also some damage control you will have to do. Here’s a checklist of what to do after a hack:
Remove any unauthorized owners from Google Search Console: This is a common symptom for this Chinese spam hack. You will have to delete the other users and remove the associate verification token from the website. This process can be more complicated than just removing users, as it may require checking the website’s .htaccess file.
Delete your WordPress cache: Clean all website caches to ensure that no traces of malware or spammy content remain.
Request Google to reindex your site: Resubmit a cleaned sitemap to help speed up the process of having your site reviewed and recrawled by Google’s search spiders. You will have to go through the trouble of removing your site from Google’s blacklist.
Update everything: The biggest cause of such hacks is a vulnerability in a plugin, theme or WordPress. This is why updates are critical, as they usually patch discovered vulnerabilities. So update everything as soon as possible.
Reach out to your site visitors: Let them know what happened and reassure them that you have fixed it all. A mature and calm response can help rebuild your reputation.
If you have cleaned the website of malware, but Google search results are still showing Chinese characters or other spammy content, it may be because Google has not yet recrawled your website. Be patient and continue to monitor your site’s performance and search results.
How do you protect your site from hackers and malware?
We’ve talked about what the Chinese spam hack is. You’ve gone through the terrible experience of scanning for it, removing it and dealing with the aftermath. You obviously don’t want to go over it all over again. Here are some steps to take:
Install MalCare: Using a comprehensive security plugin like MalCare can help prevent future attacks. MalCare offers a range of features, including malware scanning, firewall protection, and brute-force attack prevention.
Change all passwords: After a hack, it’s important to change all passwords, including those for WordPress, FTP, cPanel, and any other accounts associated with your website. Use strong, unique passwords that are difficult to guess.
Force reset of all user accounts: It’s a good idea to force a password reset for all user accounts on your website. This will help ensure that any compromised accounts are secured.
Review plugins and themes: Go through your list of installed plugins and themes and delete any that you no longer need or use. Keep your site lean and streamlined to reduce the risk of vulnerabilities.
Use SSL: SSL (Secure Sockets Layer) is a security protocol that encrypts data between your website and visitors. Implementing SSL can help protect sensitive data, such as login credentials and payment information.
Invest in regular backups: Regularly backing up your website can be a lifesaver in case of a future attack. Make sure to keep backups in a secure location, such as an external hard drive or cloud storage service.
Why do websites get targeted this way?
By now, your stress has been relieved and you’ve regained your site. All is well with the world. Let’s take a moment to process what happened to your site? What is the hack? Why did it happen to you?
Search engine optimization (SEO): Hackers may try to improve their own or their clients’ SEO by injecting links into your website’s pages or creating new pages for the sole purpose of linking to their desired target. In some cases, the client or reseller may not even be aware that they are paying a hacker for these services.
Email spam: Hackers may use your website to send out large volumes of spam emails, taking advantage of your server’s resources and reputation that may not have been blacklisted by email providers.
Advertising revenue: Some hackers may attempt to monetize your website by replacing or adding advertisements to it. This can be especially profitable if your site has a large amount of traffic.
Resource exploitation: Hackers may attempt to use your website’s resources, such as its processing power or bandwidth, to help them hack into other sites or to mine cryptocurrency.
Data theft: Hackers may attempt to steal sensitive information such as credit card details, login credentials, or other personal data.
Malware distribution: Hackers may use your website as a distribution point for malware, storing infected files or hosting downloads that contain viruses or other malicious software.
What caused the hack?
We know what the hack is and how it benefits the hackers. But why your site? What caused it? Here are the top three reasons your site was cherry-picked for a hack:
Vulnerabilities: Hackers look for weaknesses in software, plugins, or themes to gain unauthorized access. Websites using outdated software or plugins with known vulnerabilities are a popular target. A lack of regular software updates, patches, and security audits can also leave websites open to attack.
Nulled software: Nulled software refers to illegal, pirated versions of premium plugins and themes. These copies may have been modified to include backdoors, malware, or other malicious code. Using nulled software puts a website at risk of getting hacked and can result in severe damage to the site’s reputation and SEO.
Poor passwords: Weak and easily guessable passwords are a major security risk. Common passwords like “password” or “123456” are easy targets for hackers. The use of simple or identical passwords across multiple sites also makes it easier for hackers to gain access to your website. It’s essential to use strong and unique passwords, enable two-factor authentication, and change your passwords regularly to reduce the risk of getting hacked.
How does the hack impact your site?
The impact of the Chinese search results spam hack can be severe and far-reaching. Some of the main consequences include:
Loss of trust: When a website is hacked, it can damage the trust that users have in the site. This can result in a loss of business, as users may be hesitant to share personal or financial information on the site.
Loss of organic traffic: A hacked website can also result in a significant drop in organic traffic from search engines. This is because search engines may remove the site from their index, or rank it lower due to the presence of spammy content.
Google blacklisting: If Google detects that a website has been hacked, it may blacklist the site. This means that the site will not appear in search results, which can be devastating for businesses that rely on organic traffic.
Suspension of website by host: The host may suspend the site until the issue is resolved. This can result in downtime and lost revenue for the business.
Suspension of Google Ads: Google may suspend any ads that are running on the site. This can result in lost revenue for the business, as well as damage to their reputation.
Let’s wrap it up. Malware attacks can have serious consequences for a website’s traffic, causing loss of trust and even Google blacklisting. However, by taking steps to prevent attacks and using a security plugin like MalCare, website owners can protect themselves and their visitors. With its top malware scanner, auto-removal feature, and firewall, MalCare offers a comprehensive solution for website security.
How to fix a Chinese search results spam hack?
If your website has been hit by a Chinese spam hack, the first step is to scan for malware using a reliable security tool like MalCare. Once the malware is identified, MalCare’s auto-removal feature can easily clear it from your site. With its advanced security features, MalCare can protect your website from future attacks.
How did the Chinese spam hack happen?
There are three main culprits to watch out for: vulnerabilities, nulled software, and poor passwords. Vulnerabilities occur when website software has known security issues that hackers can exploit. Nulled plugins and themes are pirated versions of paid software, which can include malware or backdoors that allow hackers access. Poor passwords are easy to guess or commonly used, making it simple for attackers to gain access to a site.
What is a Chinese spam hack? Does it affect backlinks?
A Chinese search results spam hack is a type of malware attack that adds irrelevant Chinese keywords to a website’s content. It doesn’t directly affect backlinks, but can harm a site’s SEO and cause a decrease in traffic.
What does the WordPress Chinese hack do?
A Chinese spam hack is a type of hack where a website’s pages are modified to include spammy Chinese keywords and links to malicious websites. The purpose of the hack is to manipulate search engine rankings and drive traffic to the attacker’s website.
Why are the search engine results for my website showing Chinese characters?
You’ve probably been hacked. A Chinese search results spam hack is a type of hack that inserts spammy Chinese keywords and links into a website’s pages and content. This type of hack can negatively impact a website’s SEO by creating a large number of low-quality backlinks. It can also result in a loss of trust from visitors who may be redirected to malicious websites or see spammy content on the site.
Why am I getting Chinese search results?
You’ve been hacked and have malware on your website. This hack inserts spammy Chinese keywords and links into a website’s pages and content, which can have negative consequences on the site’s SEO by generating low-quality backlinks. Additionally, visitors may be directed to malicious sites or see spammy content, leading to a loss of trust.