Security · 5 min read

What to Do When Google Says 'This Site May Be Hacked

By WP Vanguard Team

What to Do When Google Says 'This Site May Be Hacked

You search for your own website and see it: "This site may be hacked" right below your listing in Google. Or worse, a full red interstitial page warning visitors away before they even reach your site.

Your traffic is already dropping. Google is actively telling people not to visit your site. Every hour this stays up, you lose visitors, customers, and search rankings that took months to build.

Here is exactly what to do, step by step.

Step 1: Confirm the Warning in Google Search Console

Log into Google Search Console. If you have not set it up yet, do it now. Verification takes minutes.

Go to Security & Manual Actions > Security Issues. Google will tell you exactly what it found: malware, phishing, unwanted software, or hacked content. This is more specific than the search result warning and gives you a starting point.

Common findings include:

Note which URLs Google flagged. You will need this list.

Step 2: Scan Your Site Immediately

Do not start deleting files randomly. You need to understand what you are dealing with first.

Run a free surface scan at WP Vanguard to check for known vulnerabilities, malicious scripts, suspicious redirects, and blacklist status. This takes 30 seconds and does not require a plugin or login.

If the surface scan confirms issues, the $1 deep scan connects via SSH and examines every file, database table, and user account on your server. This catches backdoors, web shells, and database injections that external scanners miss.

Why this matters: most hacked WordPress sites have multiple infections. Cleaning only the visible malware while missing a hidden backdoor means the attacker returns within days.

Step 3: Identify How You Were Compromised

Before cleaning, figure out how the attacker got in. If you clean the malware but leave the door open, reinfection is guaranteed.

The most common entry points:

Outdated plugins with known vulnerabilities. Check your plugin versions against vulnerability databases. If any plugin has a known CVE, that is likely your entry point. Update or remove it immediately.

Compromised admin credentials. Check for admin accounts you did not create. Look at Users > All Users in your WordPress dashboard. Also check for suspicious application passwords under each user profile.

Nulled or pirated plugins/themes. If you installed any premium plugin from an unofficial source, it likely contained a backdoor from the start.

Exposed wp-config.php backups. Files like wp-config.php.bak or wp-config.old sitting in your web root hand your database credentials to anyone who checks.

Step 4: Clean the Infection

If you are comfortable with SSH and file systems, here is what to check:

Files to examine:

Database to check:

If this sounds overwhelming, the WP Vanguard cleanup service handles it for $49. The team removes all malware, closes the vulnerability, and hardens your site. First cleanup is free for new users. Turnaround is within 24 hours.

Step 5: Harden Your Site

After cleaning, prevent reinfection:

  1. Update everything. WordPress core, all plugins, all themes. Remove any plugins or themes you are not actively using.
  2. Reset all passwords. WordPress admin, database, FTP/SSH, hosting control panel.
  3. Regenerate security salts. Add fresh salts from the WordPress salt generator to your wp-config.php.
  4. Delete unused accounts. Any admin account that is not actively needed should be removed.
  5. Set correct file permissions. Directories at 755, files at 644, wp-config.php at 600.
  6. Disable file editing. Add define('DISALLOW_FILE_EDIT', true); to wp-config.php.

Step 6: Request a Review from Google

Once your site is clean, go back to Google Search Console:

  1. Navigate to Security & Manual Actions > Security Issues
  2. Check the box confirming you have fixed the issues
  3. Click Request a Review

In your review request, briefly explain what happened and what you did to fix it. For example: "Site was compromised through an outdated plugin vulnerability. Malware removed, plugin updated, all credentials reset, and file permissions hardened."

Google typically processes reviews within 72 hours, though it can take up to a week. During this time, keep monitoring your site for any signs of reinfection.

Step 7: Monitor Going Forward

The warning will be removed once Google verifies your site is clean. But your job is not done.

Set up regular scanning. A monthly scan catches new vulnerabilities before attackers exploit them. Scan free at wpvanguard.com anytime.

Monitor Google Search Console. Enable email notifications so you are alerted immediately if Google detects new issues.

Keep a maintenance schedule. Update WordPress core and plugins within a week of new releases. The majority of WordPress hacks exploit known vulnerabilities in outdated software.

How Long Does Recovery Take?

If you act quickly:

The biggest factor in recovery time is how quickly you start. Every day the warning stays up, your search rankings continue to drop. Sites that resolve the issue within 48 hours typically recover their rankings within 2 to 4 weeks. Sites that wait weeks can take months to recover, and some rankings never fully return.

Do not wait. Scan your site now and find out exactly what you are dealing with.

wordpress-security malware google-search-console recovery

Related reading

Check Your WordPress Site Security

Free scan, no login required. Find vulnerabilities before attackers do.

Scan Your Site Free

Get weekly WordPress security tips

Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.

WP Vanguard is built by Wbcom Designs, makers of Reign, Jetonomy, Listora, and more. Explore our WordPress products →
← Back to Blog