Panic query — a calm, exact fix

Fix the “This site may be hacked” warning

Google put a warning under your listing in search results. It looks worse than it usually is. Here is the exact walkthrough — confirm it, remove the hack, verify the whole site, then get Google to review it — most sites clear it within days.

How do I fix the “This site may be hacked” warning in Google? Log into Google Search Console and open the Security Issues report to see exactly what was found. Locate and remove the injected code or spam pages and the backdoor file that let the attacker back in, change every password connected to the site, then check the entire site — not just the flagged page — is clean. Click Request Review, describe what you fixed, and submit. Google typically clears the warning within a few days once the site is genuinely clean.

This guide is not here to scare you further — a “This site may be hacked” warning is one of the more fixable security problems a website owner can have. It almost always means an attacker got in through a known, patchable weakness (an outdated plugin, a weak password) and left spam or injected code behind, not that your business or your visitors’ devices are permanently at risk. Confirming and cleaning it usually takes a focused day; Google’s review afterward adds a few more.

What does the “This site may be hacked” warning actually mean?

What does “This site may be hacked” mean? It means Google’s search-quality systems found signs that your site’s content was changed by someone other than you — typically injected spam links, spam pages in a different language, or content that shows differently to Google’s crawler than to a normal visitor. It is a label attached under your listing in search results, separate from Google Safe Browsing’s full-page malware warning, which blocks the page outright before a visitor even sees it.

The distinction matters because the two warnings clear through different processes, and confusing them wastes time.

This site may be hacked vs Google’s other website warnings
WarningWhere it appearsWhat it meansHow it clears
This site may be hackedSmall red text under your listing in Google Search resultsAutomated search-quality systems detected likely unauthorized changes to the content — usually injected spam links, spam pages, or cloakingSearch Console Security Issues report: fix the cause, then Request Review
Deceptive site aheadFull-page red warning in the browser before the page loadsSafe Browsing detected live malware, phishing, or deceptive content being served to visitorsSame Security Issues report; Safe Browsing typically re-checks automatically within a few days of the threat being removed
Manual actionA message in Search Console, not visible to searchers directlyA human reviewer at Google penalized the site for a guideline violation — separate from being hackedFix the violation, then submit a reconsideration request in the Manual Actions report

This guide focuses specifically on the search-result warning. If you are also seeing other signs of compromise — a defaced homepage, unfamiliar admin users, strange outbound traffic — the warning is one symptom among several; our full guide to a hacked website covers the complete picture and response.

Step 1: Confirm it in Search Console

Confirm the exact issue before doing anything else — the Security Issues report tells you precisely what pattern Google found and gives example URLs, which turns a vague warning into a concrete todo list.

Open the Security Issues report

In Search Console, select the verified property for your domain (if you have not verified it yet, add it now with a DNS TXT record from your domain registrar or an HTML verification file — either takes a few minutes), then open Security & Manual Actions › Security Issues in the left sidebar.

Read the “Hacked type”

Google names the specific pattern it detected — common ones are Content injection, Code injection, URL injection, Cloaked images, and Cloaked keywords and links (the pattern behind the classic Japanese keyword hack on WordPress). This tells you what to look for once you go digging.

Note the example URLs, and their limits

Google lists one or two URLs where it found the problem. Treat these as a starting point, not the full extent — Google does not recrawl every page every time, so the injection is often on more pages than the report shows. Step 3 below covers how to check the rest of the site.

Step 2: Find and remove the hack — including the backdoor

Removing the visible spam without finding how the attacker got in — the backdoor — is the single most common reason a cleaned site gets hacked again within days. Do both, in this order.

See what Google actually sees

Open the flagged URL and view its page source, not just the rendered page — some injections are cloaked, meaning they show normal content to a visitor and spam content only to search-engine crawlers. To see exactly what Googlebot sees, use URL Inspection › Test Live URL in Search Console and check the rendered HTML. Typical patterns: a block of hidden spam links or keyword text positioned off-screen, a full alternate page of foreign-language or spam content served only to crawlers, or a script-based redirect that sends search visitors elsewhere while regular visitors see nothing unusual.

Find the backdoor, not just the symptom

A backdoor is the file or account an attacker left behind so they can get back in even after you delete the spam. Common places to look:

  • Unexpected files in folders that should never contain code — a .php file inside wp-content/uploads is a classic red flag.
  • Recently modified files — your host’s file manager or an SSH/SFTP client can sort by modified date; anything touched outside your own recent edits deserves a look.
  • Admin or user accounts you do not recognize, in both your CMS user list and your hosting or control-panel account list.
  • Unfamiliar scheduled tasks or cron jobs — some backdoors reinstall themselves automatically after cleanup.
  • On WordPress specifically: compare core files against the official release. The WP-CLI command wp core verify-checksums flags anything modified, and re-uploading fresh copies of core, your active theme, and your plugins from the original source is the most reliable clean.

Remove it, then lock the door behind you

  • Delete the injected code or pages and every unfamiliar file or account you found in the previous step.
  • Change every password connected to the site — hosting/control panel, CMS admin, database, and FTP/SFTP, plus any API keys. A weak or reused password is the most common way attackers get in the first time, and skipping this step is the second most common reason a cleaned site gets hacked again.
  • Update everything — CMS core, every plugin and theme, and your PHP version if your host allows it. Most hacks start from a known, already-patched vulnerability that simply was not applied yet.
  • Delete plugins and themes you are not actively using. An inactive one with a known flaw is still exploitable if its files remain on the server.
  • Keep a copy of the infected files somewhere safe before deleting them. If the warning does not clear on the first try, having exactly what was found makes the second pass much faster.

Step 3: Verify the entire site is clean, not just the flagged page

Injections that come from a backdoor script often touch every post or page automatically, not only the one URL Google happened to show you — this is exactly how the classic keyword-spam hack generates hundreds of fake pages from a single script. Checking only the flagged URL and calling it done is how sites end up requesting review, failing, and starting over.

  • Re-check the exact example URLs from the Security Issues report and confirm the injected content is genuinely gone, not moved.
  • Search site:yourdomain.com in Google and scan the results for titles or pages you do not recognize — spam-generated pages usually stand out immediately by language or subject.
  • In Search Console’s Pages report (under Indexing), look for a spike in indexed URLs you never created — a common fingerprint of the auto-generated keyword-spam pattern.
  • Run URL Inspection › Test Live URL on a handful of pages, not just the flagged one, to confirm Googlebot sees the same clean content a normal visitor does. This catches cloaking a browser check alone would miss.
  • Run a second scan with a reputable malware or blocklist checker as a sanity check before you submit for review.

Step 4: Request a review, and what happens next

Once you are confident the whole site is clean, go back to the Security Issues report and click Request Review.

What to write

Be specific: which files or pages were affected, exactly what you removed, and what you changed to close the entry point (passwords, software updates, deleted backdoor). Google’s reviewers read this description, and a specific, complete one reduces back-and-forth.

What to expect

Google’s own guidance is that review typically takes a few days, though it can run longer if a reviewer needs a second pass. What resets the clock: if the hack reappears before or during review because the backdoor was not fully closed, the review fails and you are back at Step 2. This is the single biggest reason reviews drag on for weeks instead of days — not the review itself, but a reinfection nobody noticed.

Once approved, the warning is removed from your search listing. Recovering the traffic and rankings lost during the incident can take a little longer, since Google still needs to recrawl and re-rank the affected pages — but for most small sites, the bulk of it returns within days of the label disappearing.

Worth knowing: this is a different process from a Safe Browsing warning (“Deceptive site ahead”), which is a full-page interstitial for active malware or phishing rather than a search-result label. Safe Browsing typically re-checks and lifts that warning automatically within a few days of the threat being gone, with no Request Review button involved — see the comparison above.

Why this happened, and how to stop it recurring

For small sites, the cause is almost always one of three things: an outdated CMS core, plugin, or theme with a known, published vulnerability (by far the most common on WordPress); a weak or reused admin password caught by automated password-guessing; or a hosting/FTP credential that leaked in an unrelated breach. Knowing which one applied to you is worth five minutes — it tells you what to actually change.

  • Update core, plugins, and themes on a regular schedule instead of waiting for a warning to force it.
  • Delete plugins and themes you are not using, rather than leaving them deactivated.
  • Use a unique, strong admin password and enable two-factor authentication wherever your CMS or host supports it.
  • Keep offsite backups, and actually test restoring one occasionally — a future incident should be a restore, not another forensic project.
  • Run a periodic outside-in check on your domain to catch new exposure before Google does. Our free passive check takes seconds, needs no login, and is safe to run monthly.

If this is not the first time your site has been compromised, the pattern usually points to something structural rather than one unlucky plugin — our guide on why a WordPress site keeps getting hacked walks through the recurring causes in more depth.

Should you fix this yourself, or get help?

Doing it yourself

Realistic if you are comfortable in your host’s file manager or SSH and your CMS admin, and the pattern is a well-known one. Budget real time: a careful cleanup on a small WordPress site is usually a focused few hours, not minutes — rushing Step 2 is exactly how a backdoor gets missed and the site gets hacked again a week later. If you want a sense of what professional cleanup typically costs before you decide, see our breakdown of the real cost to fix a hacked website.

Getting it done for you

Bug Circuit’s $49 Circuit audit is a full manual pass by a human engineer over the whole site, which matters here specifically because confirming there is no second backdoor left behind is exactly the check a DIY cleanup is most likely to miss. The $299 Signal plan goes further — we do the fixes with you and keep 3 months of cover afterward, which matters most in the weeks right after a hack, when reinfection risk is highest. Signal is currently discounted by roughly 55% as a launch offer; current pricing is always on the pricing page. Every paid option starts only after you verify domain ownership and sign a recorded Authorization to Test, with a 14-day money-back guarantee before the audit begins. A written report you can keep is also included — see a sample report to see the format.

Common questions

Will the warning hurt my search rankings for good?
No. A “This site may be hacked” label is not permanent and does not blocklist your site. Once you clean it and Google approves your Request Review, the label is removed. Rankings that dipped during the incident typically recover over the following days to weeks as Google recrawls and re-evaluates the affected pages — there is no separate penalty stacked on top once the warning itself is gone.
How long does Google actually take to remove the warning?
Google’s own guidance is a few days after you submit a Request Review, though it can take longer if a reviewer needs a second pass. The most common reason it drags on: the backdoor was not fully closed, the hack reappears during review, and the review fails — which is why Step 2 and Step 3 below matter more than speed.
Can I fix this myself, or do I need a developer?
Many owners handle straightforward, well-known patterns themselves if they are comfortable in their host’s file manager and their CMS admin. The part most likely to go wrong solo is confirming there is no second backdoor left behind — that is exactly what a human manual audit is good at catching. See our real cost to fix a hacked website for both paths.
Does this warning mean my site has a virus that could infect visitors?
Not necessarily. “This site may be hacked” is broader than active malware — it also covers injected spam content and cloaking, which do not directly harm a visitor’s device. Active malware served to visitors triggers a different, more severe warning: a full-page “Deceptive site ahead” interstitial from Google Safe Browsing. Check the specific “Hacked type” listed in your Security Issues report to know which situation you are actually in.
I already cleaned the hack, but the warning is still showing. Why?
Three likely reasons: you have not yet clicked Request Review in Search Console (cleaning the site does not clear the label by itself); the review is still in progress; or the backdoor was not fully closed and the hack quietly reappeared, which resets the process. Recheck the flagged URLs and run through Step 3 again before resubmitting.
Is the Japanese keyword hack the same thing as this warning?
It is one common cause of it, not a different problem. The Japanese keyword hack is a specific cloaked-content injection pattern — fake Japanese-language pages shown to search engines while your normal pages look untouched — and it is exactly the kind of pattern that triggers a “This site may be hacked” label. See our dedicated Japanese keyword hack removal guide if that matches what you are seeing.

Keep reading

Not sure the hack is fully gone? Check for free

Run the free passive check on your domain — no login, no impact on your site — then get a free human yes or no on critical bugs before you request review.

Passive recon only. No login, and no impact on your site. Deeper testing needs domain verification.

Ready for the full manual audit? See transparent pricing →