Since a few weeks, searching for my website on Google yiels some strange results: there are results linking to existing pages, but with Japanese product titles and discriptions for products that are not on my webshop. This website runs on a private server with multiple other websites. Sadly, it seems other sites have also been targeted, as they too show Japanese search results (the websites are all in Dutch, apart from one in English).

For my ‘main’ (and to me, most important) website, GSC has crawled almost 7.000 pages, of which some 1.000 are indexed. This is insane, as my webshop is quite simple and has, even with all products pages, not even 100 pages.

Screenshot of indexed and not-indexed pages

Furthermore, both the indexed and not indexed pages are flooded with strange URL’s ending in .phtml:

Strange .phtml urls/files showing up in GSC

When I inspect such a URL, it shows it is indexed on Google, and shows two product/market snippets in Japanese. When test the live URL, however, Google cannot fetch the page. How did all these strange URLs get into my site, and what does this tell me about any potential leaks/security flaws?

I’ve come to find that this is called a Japanese SEO-spam attack. As I use WordPress on my sites, I ran Wordfence scans to delete questionable files (strange .htaccess and index.php files, among others. To me, this proves my sites or server were/was hacked, and so I ran Wordfence scans on all sites, enabled 2FA for WordPress and changed the passwords to the databases, (s)FTP-accounts and wordpress users. I also added Disallow: /*.phtml$ to my robots.txt

I’ve been told that Google (re)indexing and crawling can take some time. However, it’s been a week and the Japanese links still show up. Furthermore, only Lagaranta.com has all the strange .phtml files and I cannot find anything about those online.

I hope I described my problem clearly and that I didn’t misplace the post or break any rules. Thanks in advance, this is my first post.