What to Do When Google Says 'This Site May Be Hacked
By WP Vanguard Team
You search for your own website and see it: "This site may be hacked" right below your listing in Google. Or worse, a full red interstitial page warning visitors away before they even reach your site.
Your traffic is already dropping. Google is actively telling people not to visit your site. Every hour this stays up, you lose visitors, customers, and search rankings that took months to build.
Here is exactly what to do, step by step.
Step 1: Confirm the Warning in Google Search Console
Log into Google Search Console. If you have not set it up yet, do it now. Verification takes minutes.
Go to Security & Manual Actions > Security Issues. Google will tell you exactly what it found: malware, phishing, unwanted software, or hacked content. This is more specific than the search result warning and gives you a starting point.
Common findings include:
- Hacked content - spam pages injected into your site (pharmaceutical, gambling, or Japanese keyword spam)
- Malware - code that downloads malicious software to visitors' computers
- Phishing - fake login pages mimicking banks, email providers, or other services
- Unwanted software - deceptive downloads or hidden redirects
Note which URLs Google flagged. You will need this list.
Step 2: Scan Your Site Immediately
Do not start deleting files randomly. You need to understand what you are dealing with first.
Run a free surface scan at WP Vanguard to check for known vulnerabilities, malicious scripts, suspicious redirects, and blacklist status. This takes 30 seconds and does not require a plugin or login.
If the surface scan confirms issues, the $1 deep scan connects via SSH and examines every file, database table, and user account on your server. This catches backdoors, web shells, and database injections that external scanners miss.
Why this matters: most hacked WordPress sites have multiple infections. Cleaning only the visible malware while missing a hidden backdoor means the attacker returns within days.
Step 3: Identify How You Were Compromised
Before cleaning, figure out how the attacker got in. If you clean the malware but leave the door open, reinfection is guaranteed.
The most common entry points:
Outdated plugins with known vulnerabilities. Check your plugin versions against vulnerability databases. If any plugin has a known CVE, that is likely your entry point. Update or remove it immediately.
Compromised admin credentials. Check for admin accounts you did not create. Look at Users > All Users in your WordPress dashboard. Also check for suspicious application passwords under each user profile.
Nulled or pirated plugins/themes. If you installed any premium plugin from an unofficial source, it likely contained a backdoor from the start.
Exposed wp-config.php backups. Files like wp-config.php.bak or wp-config.old sitting in your web root hand your database credentials to anyone who checks.
Step 4: Clean the Infection
If you are comfortable with SSH and file systems, here is what to check:
Files to examine:
- PHP files in wp-content/uploads/ (should never exist)
- Recently modified core files (compare against a fresh WordPress download)
- Files with obfuscated code (base64_decode, eval, str_rot13, gzinflate chains)
- Hidden .htaccess files in subdirectories
- Unknown files in wp-content/mu-plugins/
Database to check:
- wp_options table for unfamiliar entries, especially siteurl and home values
- wp_posts for injected content (search for iframe, eval, base64)
- wp_users for accounts you did not create
If this sounds overwhelming, the WP Vanguard cleanup service handles it for $49. The team removes all malware, closes the vulnerability, and hardens your site. First cleanup is free for new users. Turnaround is within 24 hours.
Step 5: Harden Your Site
After cleaning, prevent reinfection:
- Update everything. WordPress core, all plugins, all themes. Remove any plugins or themes you are not actively using.
- Reset all passwords. WordPress admin, database, FTP/SSH, hosting control panel.
- Regenerate security salts. Add fresh salts from the WordPress salt generator to your wp-config.php.
- Delete unused accounts. Any admin account that is not actively needed should be removed.
- Set correct file permissions. Directories at 755, files at 644, wp-config.php at 600.
- Disable file editing. Add
define('DISALLOW_FILE_EDIT', true);to wp-config.php.
Step 6: Request a Review from Google
Once your site is clean, go back to Google Search Console:
- Navigate to Security & Manual Actions > Security Issues
- Check the box confirming you have fixed the issues
- Click Request a Review
In your review request, briefly explain what happened and what you did to fix it. For example: "Site was compromised through an outdated plugin vulnerability. Malware removed, plugin updated, all credentials reset, and file permissions hardened."
Google typically processes reviews within 72 hours, though it can take up to a week. During this time, keep monitoring your site for any signs of reinfection.
Step 7: Monitor Going Forward
The warning will be removed once Google verifies your site is clean. But your job is not done.
Set up regular scanning. A monthly scan catches new vulnerabilities before attackers exploit them. Scan free at wpvanguard.com anytime.
Monitor Google Search Console. Enable email notifications so you are alerted immediately if Google detects new issues.
Keep a maintenance schedule. Update WordPress core and plugins within a week of new releases. The majority of WordPress hacks exploit known vulnerabilities in outdated software.
How Long Does Recovery Take?
If you act quickly:
- Scanning and identifying the issue: 30 minutes to 2 hours
- Cleaning the malware: 2 to 8 hours (depending on infection complexity)
- Google removing the warning: 1 to 7 days after review request
The biggest factor in recovery time is how quickly you start. Every day the warning stays up, your search rankings continue to drop. Sites that resolve the issue within 48 hours typically recover their rankings within 2 to 4 weeks. Sites that wait weeks can take months to recover, and some rankings never fully return.
Do not wait. Scan your site now and find out exactly what you are dealing with.
Related reading
Check Your WordPress Site Security
Free scan, no login required. Find vulnerabilities before attackers do.
Scan Your Site FreeGet weekly WordPress security tips
Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.