How to Fix Google’s “This Site May Be Hacked” Warning

Google thinks your site has been hacked, and therefore put a warning out on the SERP.

Seeing a ‘This site may be hacked’ message in Google search results is bad. Many people think that your site will cause their device to be hacked. As a result, you are going to see a huge hit in your traffic. 

Scan your site to find out if your site is hacked or not. This is the only way to know for sure why your site has this notice.

The good news is that, even if your site is hacked, you can resolve it easily. We’ll show you how.

TL;DR: Use a malware scanner to find the hack causing the ‘This site may be hacked’ warning. You can then remove it, and appeal the flag. Malware causes harm. That’s why Google has flagged your site: to protect visitors.  

What the ‘This site may be hacked’ flag means

The ‘This site may be hacked’ warning appears under your site listings in search results when Google’s scanners have detected malware or spam on your site. 

It is part of the Google Safe Browsing initiative, which protects its users from dangerous places on the Internet. As Google indexes sites and the content they contain, it can come across hacks, or even spam.

Examples are phishing scams, redirect malware, unsavoury products, and so on. There are similar warnings to ‘This site may be hacked’, like ‘Site ahead contains harmful programs’, or even a red interstitial screen which is incredibly off-putting for users.

All these screens and warnings appear if Google finds that a site is hacked. Collectively (and colloquially) they are knows as Google’s blacklist.

You can check if your site is on the blacklist, by using their Transparency Report feature.

Why is this message appearing on your website?

The ‘This site may be hacked’ warning is appearing beneath your site URL in the SERP results because it probably has malware or spam on it. Google scans have discovered the malware and it is now up to you to fix it. 

Malware is the most likely cause of the message, however, it is not the only reason. Perhaps it isn’t your site that is hacked, but a plugin is loading assets from a site that has malware. Or there are spam links or malware in the comments on your site.

The important thing is to address these issues. The best way is to scan your site for malware first and clean it in the case of an infection. If malware isn’t the cause, the other causes are relatively minor in comparison, and can be addressed subsequently.

Other ways you may find out your site is hacked

You will either see a firestorm of hack symptoms or nothing at all, if your site is hacked. It really depends on how the hacker has designed their attack.

However, we have often seen that site admins are the last to find out about hacks. This is because hackers want to keep malicious code hidden for as long as possible.

So, we’ve listed some of the most common signs You may see some; you may see all; you may see none at all:

As you can imagine, WordPress hacks appear in many shapes and sizes. The important thing is to deal with it quickly and decisively.

How to recover from the ‘This site may be hacked’ message

There are 3 main steps to recovering from the notice.

1. Remove the hack from your site
2. Submit your site to Google for reindexing
3. Protect your site from further attacks and hacks

In this article, we will take you through the process. There are various ways of doing these things, so we have also laid out all the pros and cons, so you can make an informed decision.

Step 1: Remove the hack from your site

The first step to getting rid of the message is to address the root cause: the hack.

Scan your site with MalCare for free. It is the first step to dealing with this entire mess.

Option 1: Use a security plugin to scan and clean a hacked website

1. Install MalCare on your site and wait for your site to sync. 

2. At the end of the sync, you will have a scan report. Here, you will find out if your site is really hacked or not.

3. If MalCare has discovered malware, use the Clean Malware to start an auto-clean. Please note that malware removal is a premium feature. You can also choose to review the malware before starting the cleanup.

4. MalCare hack cleanups also automatically take steps to prevent reinfections. You will see options to clear the caches, reset salts and security keys, and reset passwords. We recommend checking all these options, so as to reduce your workload later on.

5. And that’s it! Once you start the process, you will see a progress screen. Within minutes, your site is now squeaky clean and free of malware. 

If you cannot access wp-admin because of a redirect or your web host has taken your site offline, get in touch with our support team and we will help you with the next step.

Option 2: Hire a WordPress expert or maintenance service 

You may have ninja chops as a WordPress developer, and even then a manual cleanup will take you absolutely ages.

A WordPress maintenance service will charge you an astronomical sum for cleanup, which they will indemnify for a short period, and then themselves use a tool like MalCare for malware removal. 

Also, a maintenance service is not always available. You will need to book a slot with them and cool your heels until they are done. Malware is a ticking time bomb, so any sort of waiting is a bad idea.

Finally, you will need to take their security advice, in order to be indemnified from reinfection. WordPress maintenance services are expensive—with good reason—and this is not a fee you want to shell out every so often.

Option 3: Clean malicious code from your site manually

Finally, we have come to the please-do-not-try-this-at-home section of this article. 

Cleaning a hack from a WordPress site is not easy—unless you have the right tools. Manual malware scanning and removal appear to be attractive because they are free options. However, they become very expensive in the long term. Therefore we strongly recommend choosing the right security plugin to scan, remove, and protect your site instead.

Malware is diverse, ever-evolving, and crafty. As we write this guide to malware removal, listing things to look for, hackers will tweak a character here and there to make sure this guide doesn’t work on their malware. We know what we are talking about because MalCare has cleaned 1000s of sites, and protects 10s of 1000s of WordPress sites every day from the nastiness of hackers. 

If you choose to go through with manual cleaning, please backup your site first. A hacked site is better than an asteroid-induced crater where your site used to be. 

Prerequisites for cleaning your site manually

Please note: The instructions in this section are generalised, as sites vary significantly from each other. There is no one universal solution to malware, so a lot of the steps are abstracted out to suit most WordPress sites, and may not apply to yours at all. Please proceed with caution.

a. Restore access to your site

Several web hosts will suspend your site if their scans reveal malware on them. This is done to protect their servers and other customers. If your site is offline, reach out to your web host to get it back online. They will probably not make the site publicly accessible, but you can request them to whitelist your IPs for cleaning purposes. 

Additionally, ask them to provide you with the results of their scans. This makes a good starting point to work from.

b. Backup your site

This is not a drill. Manually cleaning malware is a dangerous exercise and prone to many mistakes. Backup your full site, malware and all, before starting. If anything goes wrong during the process, you can go back to the backup to start again. 

Also, if your web host is unaware of the malware on your site as of your discovery, a backup is highly recommended. There are some very trigger-happy web hosts, who will not give you access to your hacked site, and will delete it out of hand. A backup is all you will have left. 

BlogVault is the best WordPress backup plugin to use, as it stores the backups on external servers. You don’t need to go through your web host, or even log into your site server, to retrieve a BlogVault backup, which is a godsend when dealing with a hack. 

Please note: If you already use backups, restoring one will not rid your site of malware. Remember that the site had vulnerabilities that got it hacked in the first place, plus you have no way of knowing when the hack appeared on your site. 

c. Download fresh WordPress core, plugin, and theme installs 

Make a list of the version of WordPress installed on your site, and those of all the plugins and themes as well. Go to the WordPress repository or the developer sites and download the official installs. The versions are important because different versions have code changes, and may cause compatibility issues. So, while you may be tempted to get the latest versions, resist the temptation till after you clean the site. 

Do not, under any circumstances, download nulled software, even if it was installed on your site before. If you had nulled software installed, chances are that those are the entry points for malware on your site. Hackers fill up nulled software with malware or backdoors. 

Unzip all the installs, and compare the code file by file, directory by directory with the installs on your site. As you can imagine, this is a lengthy process, and if you have a complex theme like a page builder or use more than a handful of plugins, this is very easily going to take several days to complete. You can use an online diff checker to speed up the process, but you will still need to paste the comparisons manually. 

Please note: Not all differences are bad. Analytics code, for instance, is added to your site’s theme or functions.php file in the wp-includes directory. This is intentional and desired, so you need to be able to differentiate between bad additional code and good additional code. 

Make a list of all the differences and keep them aside for the moment.

d. Check for fake plugins

Now that you have a swipe file of your installed plugins and themes, use the process of elimination to figure out if there are any extra plugins or themes in your wp-content directory. 

Again, not all extras are illegitimate, but there are some telltale signs to spot nefarious plugins. Fake plugins typically have very few files and directories. The few files that they do have will have gobbledegook as code. Fake plugins also don’t look like real plugins, with outlandish names like ZZZ or ABC. 

e. Reinstall WordPress core on your site

Up to this point, we were still setting the stage and gathering the necessary tools. The heavy lifting starts here. The first order of business is to reinstall WordPress core files and directories. 

Brush up on a primer of WordPress file structure if you need to before tackling this step. In case you have any custom code that you or your developer has added to the files, time to retrieve those as well and save them in a document elsewhere. 

Please note that the following method of WordPress installation is as trigger-happy as they come. Even when upgrading WordPress on our sites, we rarely use this method. 

Use FTP or cPanel’s File Manager to look at the directory structure of your site. Replace the following directories completely with the same ones from the fresh install: wp-admin and wp-includes.

Next, look at the loose files in the root directory. Open up all of them, but pay special attention to these: 

index.php
wp-config.php
wp-settings.php
wp-load.php
.htaccess

Compare them to the ones in the fresh installs. There may be ‘odd’ code in these files. If they are custom code snippets, say for permalinks in the .htaccess file, then they might be malware. In fact, the .htaccess file is a prime target for the redirect malware, and just deleting it from this file doesn’t often work. The malware just reappears. 

We do realise that ‘odd’ is vague. However, as we said before, malware can take many forms. Hackers obfuscate code, spread it over many files, hide it in the database, and do everything possible to keep it hidden. So pinpointing malware can become tricky. 

Next, go into the wp-uploads directory. There should not be any executable files here at all. The folder is a repository for uploaded files, and therefore is the most accessible folder in your entire site. If a hacker was able to get an executable file onto your site via the uploads folder, then could then execute it and thus hack your site. Delete any that you find in that folder.

Finally, compare all the files and directories on your site with the fresh WordPress install. If you see any extras—barring plugins and themes, which we will get to in a minute—make a note. Don’t delete any of them right off the bat, because they could be necessary for plugins, say a caching plugin or a firewall one. But scrutinise them carefully, try deleting them one at a time to see if anything on your site breaks, and then make your best judgement about whether they are malicious files or not.

f. Clean plugin and theme folders

To complete spring cleaning your WordPress installation, you have to repeat all of what you just did in the previous step, but with the wp-content directory. This directory contains your plugins and themes, and is perhaps the most diverse part of any WordPress site. 

The same caveats apply here too: compare carefully; avoid being trigger-happy with the delete button, and be mindful of customisations. Alternatively, you can replace the folders entirely with corresponding fresh installs, but that will wipe out any customisations like analytics code additions, for instance. 

You may also want to check if any of your installed software has declared vulnerabilities. Those are the entry points for malware, although the malware isn’t necessarily contained in those folders only.

g. Clean malware from database

Download a copy of your site database using phpMyAdmin or Adminer. The database contains all of the user-generated content of your site, like posts, pages, comments, and so on. It also has a bunch of configuration settings. In short, it is a very important part of your site, so please be careful with it. 

Check each of the pages and posts records in the wp_posts table. There may be malicious scripts on these, which is especially the case with redirect malware. You’ll have to get rid of all of them. If you are familiar with how to use SQL queries, this process will be faster. Also check the wp_comments table for good measure. Spam in comments often trip up scanners.

Have a look at the wp_users table to see if there are any users you don’t recognise. Hackers often create accounts for themselves with admin access, so they can regain access to a site if the malware is cleaned.  

Also, check the wp_options table. Redirect malware changes out a couple of records here: siteurl and home to be more precise. Both should be pointing to your site only. 

We’ve already said that the database is very important, but please be extra cautious if you have a WooCommerce site. For e-commerce stores, the data is stored across many more tables, and are interlinked intricately for the site to function.

h. Remove all backdoors

After getting rid of the malware, you now need to plug the entry points. Malware is often inserted into a site via backdoors. Backdoors are also malware, and shouldn’t be confused with vulnerabilities. Vulnerabilities are security lapses in legitimate code.

As you did with malware, examine your site for backdoors. Look for functions like these:

eval
base64_decode
gzinflate
preg_replace
str_rot13 

These functions are not inherently bad and they have legitimate uses, however, those are few and far between. They are mostly used by hackers. Regardless, use discretion when removing them.

i. Reupload the malware-free site

If you were working on a backup to clean your site, this is the point at which you upload the cleaned version to your server. Perhaps you were working directly on the site using File Manager, in which case you can skip this step.

We recommend using FTP to restore the site files. For the database, you will need to drop all the tables and import the cleaned version in its place.

j. Clear all caches

Flush out all the caches: caching plugins, browser caches, WordPress caches, etc. Caches store copies of your site to speed up loading for visitors. Chances are the hacked site is still accessible via a cache.

k. Scan your site again

This step is a check to confirm that the malware has really gone. Deep-scan your site with a WordPress security plugin though, because an online scanner will not be able to scan every part of your site. If you get a clean bill of health, congratulations. You have pulled off a major feat! 

Why you should avoid manual malware removal

Remember our analogy about malware being like a weed? It is not enough to cut a weed off at ground level and leave the roots intact. It will grow back. Malware is exactly the same way. 

Malware leaves backdoors for reinfection. If you miss a single backdoor or forget to remove a user account, your site is as good as hacked again.

We have seen malware that has configured cron jobs so that, even if it is deleted, it reappears in 12 hours. Imagine all that hard work you’ve put in to remove malware, possibly over days or weeks, and it comes back in a fraction of that time. It is frustrating, to say the least. 

Additionally, a single mistake can bring down your site. That is not to imply that WordPress is fragile, but more so that every part needs to perform its task for optimal operation. Even WordPress experts will use tools to remove malware from sites. 

Finally, you have spent time and other resources to create your site. While we understand that costs are a factor in every decision, this is not the place to make that compromise. By all means, update WordPress manually or create your own theme. But malware is the line in the sand.

Step 2: Remove the SERP flag

Now that your site is free of malware, need to request Google to reindex your site. In doing so, their scanners will scrutinise the site again for malware. 

Google scans its index on a regular basis, and our general experience has shown that it takes about 3 days on average to do so. However, their support documentation requests patience, and the official timeline is a few weeks. So you can request a Google review to speed things up a little bit. 

Please note: You must be absolutely sure that there is no malware left on your site before submitting the review request. If Google scans your site and finds malware, they will reject the request. In certain cases we have seen, the site admin puts in a few too many requests and gets a ban of 30 days. 

The request process is simple: 

1. Open Google Search Console
2. Navigate to the Security Issues tab, and scroll right to the end
3. Click on ‘Request a review’ 
4. Complete the form, going into as much detail as possible, with the steps you’ve taken to resolve the security issues
5. Submit the request

We strongly recommend being patient. Yes, the warning is very alarming and you want it gone as soon as possible. However, repeatedly contacting Google will only be to your detriment.

What if Google still flags your site as hacked? 

You’ve checked your site after malware removal, and the scanner or Google still thinks your hacked site needs repair. Now what? 

There could be a bunch of reasons why Google is flagging your site: 

Once you are certain there are no remnants of malware, submit the review request once more. This is another reason why we recommend patience. Mistakes will happen, and you want as many opportunities to correct them as possible.

Step 3: Stop ‘This site may be hacked’ from reappearing

On this side of the whole ordeal, things are looking a lot more hopeful. No more malware and no dire warnings from Google like “the site ahead contains harmful programs” or other blacklists, is a great combination for any WordPress admin.

Plus, you beat the hackers, so take a moment to celebrate. 

The next order of business is to make sure it doesn’t happen again. Granted, there is no such thing as 100% security. Big web hosts and large corporations have succumbed to attacks even with dedicated security teams in place. But equally, there are still some things you can do to protect your site from most threats. 

These steps can help protect your site, or at the very least, help it recover easily from malware infection. 

Impact of the flag

In a word? Bad. 

Any warnings of malware and hacks are sure to scare off visitors, and rightly so. Hackers fill up sites with malware for social engineering attacks, like phishing, or to piggyback on your SEO to sell unsavoury items and services. 

Malware has caused site owners to: 

• Lose their SEO ranking
• Lose their hard-earned brand trust and reputation 
• Outright lose revenue for small businesses that rely on their sites
• Lose work, time, money, and effort put into building and maintaining the site
• Spend exorbitant amounts on malware removal
• Have legal issues because of compromised user data

Conclusion

‘This site may be hacked’ Google warning comes as a shock to unsuspecting site admin. The only way to protect your site from hackers that cause issues like this is to install a WordPress security plugin with an integrated firewall.

Malware needs to be addressed on priority. It is one of the things that get progressively worse the longer it is left. Malware can spread to all corners of your site. It can spread to your other sites as well, if they are on the same cPanel. It can also be programmed to trick visitors into sharing personal information. In fact, Google also tracks the time it takes a site administrator to deal with malware. So acting fast is in your best interest. 

Finally, there is a ton of well-intentioned but poor security advice out there. People have attempted to share their experiences with the view to helping others, as is consistent with WordPress community spirit, however not all measures will work for everyone.

FAQs