Remove the "This site may be hacked" warning from Google

Google shows "This site may be hacked" or a red full-screen warning on your site? Here's how to make it go away: clean up, request a review, and how long it takes.

By WP-Detox 6 min read

You type your site’s name into Google and see “This site may be hacked” sitting right under your result. Or worse: a full-screen red page warns your visitors that your site is dangerous before they even reach it. This Google hacked-site warning scares visitors off and tanks your sales, but it can be removed. The condition is simple: the site has to be genuinely clean before you ask Google for anything.

Two different alerts, two causes

Before you act, figure out which of the two applies to you. They don’t share the same cause or the same level of severity.

”This site may be hacked” (in search results)

This is the small gray label shown under your site’s title on the Google results page. It tells you Google detected injected content: fake pages, posts you never wrote, SEO spam (casino, betting, pharma, counterfeits). The attacker is using your domain name to rank their pages in Google. Your site stays reachable, but Google is warning users that some of the content isn’t yours.

This is typically what happens with an injection of casino spam posts: hundreds of auto-generated pages indexed under your domain.

The red “Deceptive site ahead” screen

This one is more serious. It’s the Google Safe Browsing interstitial: a full-screen red page that blocks access to the site, shown by Chrome, Firefox, and Safari. The message varies: “Deceptive site ahead,” “The site ahead contains malware,” “The site ahead contains harmful programs.” Google found malicious code served to your visitors (redirect to a fraudulent site, booby-trapped download, phishing). Traffic collapses immediately, because nobody gets past the red screen.

Why the alert won’t go away on its own

Key point: Google doesn’t remove the warning because you saw it, or because you changed your passwords. As long as the hacked content or the malicious code is still detected on your site, the alert stays. And even after a cleanup, Google doesn’t re-check instantly: you usually have to request a review.

Plenty of site owners delete three visible spam posts, think they’ve fixed the problem, then wonder why the alert sticks around. That’s normal: hundreds of hidden pages were left behind, or a backdoor that re-injects the spam. The cleanup has to be complete, or the review will be rejected.

Check in Google Search Console

Search Console is your source of truth. It’s where Google tells you exactly what it detected.

  1. Sign in to search.google.com/search-console with the account that owns the site.
  2. If your site isn’t there yet, add it and verify ownership (a file to upload or a DNS record).
  3. In the left menu, open Security & Manual Actions then the Security Issues report.

There you’ll see the exact type of problem: “Hacked content,” “Malware,” “Social engineering.” Google sometimes lists examples of affected URLs. Note them down: they’re your leads for the cleanup. As long as this page shows a problem, don’t request a review, it will be rejected.

Clean it for real, then request the review

A review is pointless on a still-infected site. So the order is: clean first, ask second.

The cleanup covers, broadly: find and delete the fake pages and posts, locate the backdoor file(s) that let the attacker come back, reinstall the WordPress core and plugins from clean versions, then change every credential (admin, FTP/SFTP, database). The full walkthrough is in our guide on what to do when WordPress is hacked.

Once the site is clean and verified:

  1. Go back to the Security Issues report in Search Console.
  2. Expand the problem details, then click Request a review.
  3. Describe in a few sentences what you did: type of infection identified, files removed, WordPress and plugins reinstalled, passwords changed. Be factual. Google reads these messages.
  4. Submit and wait.

An honest, specific message helps you get unblocked faster. Don’t downplay it, don’t say “I think it’s fixed”: describe the concrete actions.

How long before it disappears

Timelines depend on the type of alert.

  • Hacked content / SEO spam: the review is usually processed within 1 to 3 days. If you didn’t request a review but just cleaned up, Google will eventually recrawl and drop the label, but that can take several days to several weeks. The review speeds it up.
  • Malware (red screen): often 24 to 72 hours, sometimes a bit more. The red browser screen disappears as soon as Google updates its Safe Browsing list.

In the meantime, leave the site alone and don’t re-inject anything (no restoring an old infected backup).

If the warning persists after the cleanup

Review rejected, or the alert still there after several days? In almost every case, the cleanup was incomplete.

  • A backdoor was left behind. The attacker left a discreet file (often in wp-content/uploads, a fake plugin, or a modified index.php) that re-injects the spam after you’ve moved on. The site reinfects itself.
  • Spam pages are still indexed. You cleaned the server but Google still has injected URLs cached. Check with a site:yourdomain.com search and look for the sketchy pages.
  • A rogue admin account remains. A user you didn’t create still has access.
  • The malicious code is in a file you didn’t inspect: .htaccess, wp-config.php, a mu-plugin, or the database.

Go back to Search Console, look at the example URLs it provides, and deal with the source. If you keep going in circles, that’s usually the sign you need a deep cleanup rather than case-by-case deletions.

Browser, antivirus: don’t confuse them

The Google Safe Browsing red screen shows up in Chrome, Firefox, and Safari: Google is driving it. Removing it goes through Search Console.

A warning shown by a desktop antivirus (on a visitor’s computer) or by a third-party blocklist (a third-party reputation service) is independent of Google. Those lists have their own removal forms. But in 90% of cases, it’s the Google alert that affects you, and it’s fixed in the place we just covered.

FAQ

How long does Google take to remove the warning? 24 to 72 hours for malware after a review, 1 to 3 days for hacked content. Without a review request, expect much longer, sometimes several weeks.

Can I request the review without having cleaned up? No, well, you can, but it’ll be rejected. Google re-checks the site: if it still finds the infection, it rejects the request and the clock restarts.

The alert comes back a few days later. Why? The site reinfected itself. A backdoor was left behind and re-injected the hacked content. You have to find and remove it.

Avoiding a relapse

Once the alert is lifted, don’t stop there. Update WordPress, the theme, and the plugins, delete anything you don’t use, enforce strong passwords, and turn on two-factor authentication for admin accounts. The hardening steps are in our guide to securing WordPress after the cleanup. Without that, you risk seeing the red screen again in a few weeks.

Not sure your site is genuinely clean, or has the Google review already been rejected once? WP-Detox scans your site for free and identifies what Google detected. The cleanup takes about 30 minutes, costs €149 all-in, with a backup taken before any action. If we fail to remove the infection, you get refunded.

Read next