“This Site May Be Hacked”: Why It Shows & How to Remove It
When Google shows "This site may be hacked" under your search result, it means Google found pages on your site that look injected by a hacker — usually spammy or gibberish content you didn't create. Your site isn't blocked, but the label warns searchers. To remove it: find the injected pages, clean them, then request a review in Search Console.
TL;DR: "This site may be hacked" is a search-results label, not a full block — visitors can still click through. Google adds it after detecting hacked content, and the vast majority of infected CMS sites cleaned by Sucuri were platforms like WordPress (Sucuri, 2023). Clear it by removing injected spam pages, hardening logins, then requesting a Google review. There's no instant fix.
If you just saw this label next to your own site, take a breath. It's common, it's fixable, and your site is still online. This guide walks you through what the warning means and exactly how to clear it — in plain language, for site owners rather than developers.
What does "This site may be hacked" mean?
It means Google's automated systems found content on your site that looks like it was added by a hacker — typically injected spam pages, hidden redirects, or gibberish text. Google explains the label appears when it believes "a hacker may have changed some of the existing pages on the site or added new spam pages" (Google Search Central, 2024). It's a warning, not a block.
Here's the important distinction. This label sits under your listing in search results — searchers see it, but they can still click through to your site. That's different from the full red interstitial "Deceptive site ahead" screen, which blocks the page entirely. The "may be hacked" label is Google's gentler signal that something on your site looks compromised.
So why does it matter if people can still visit? Because trust and traffic drop fast. Most searchers won't click a result that warns of a hack, and the label tells you Google has likely indexed spam pages under your domain name. The underlying problem is real, even if the consequence is softer than a full block.
Why is Google flagging my site as hacked?
Because Google's crawlers found pages or content that match patterns of a hacked site — most often injected SEO spam. Hacked sites are widespread: Google's Safe Browsing protects billions of devices and flags dangerous and deceptive sites daily (Google Safe Browsing, 2024). When attackers exploit a weak plugin or stolen password, they inject content, and Google's systems detect it.
Injected SEO spam (the most common cause)
The usual cause is spam injection, not a dramatic takeover. Attackers quietly add pages selling counterfeit goods, pharmaceuticals, or gambling — often invisible to you but fully visible to Google's crawler. They piggyback on your domain's reputation to rank their spam. You might never notice until the label appears or traffic dips.
In our experience running unflag, many owners check their homepage, see it looks normal, and assume Google made a mistake. But injected spam is usually hidden from regular visitors and served only to search engines or specific referrers. The pages are real and indexed — you just can't see them by browsing your own site. We don't scan or clean sites ourselves; we clear the residual blocklist flags once you've removed the spam. That gap between what an owner sees and what crawlers see is exactly why the label feels like a false alarm when it isn't.
A genuine compromise
Sometimes it's a fuller compromise: a hacker has admin access and is modifying real pages, adding redirects, or planting backdoors. Outdated software is the usual entry point. Sucuri found that a significant share of compromised sites were running outdated components at the time of infection (Sucuri, 2023), and most flaws come from third-party plugins and themes rather than core platforms.
Either way, the fix is the same: find what was added, remove it, and lock the door behind you. If your site also shows a full warning screen, our guide on the deceptive site ahead warning covers that companion case.
How do I find the injected content on my site?
Start in Google Search Console, because Google often tells you exactly which pages it flagged. Open the Security Issues report — if your site is affected, Google lists the hacked URLs and sample injected content there (Google Search Central, 2024). This is the fastest way to see what the crawler saw, even when the pages are invisible to normal visitors.
Use the site: search trick
One quick check we recommend before anything else: search Google for site:yourdomain.com and scroll through the results. Injected spam pages stand out immediately — you'll see listings for pharmaceuticals, replica goods, or strings of foreign-language keywords that you never published. When we scan a domain across our catalog of 124 active security vendors, the domains that trip multiple blocklists at once are almost always the ones carrying this kind of indexed spam — so the site: check tends to predict how widely a site has been flagged elsewhere.
Scan with a security tool
Then run a malware scanner. If you're on a CMS, a reputable security plugin (Wordfence, Sucuri, or MalCare for WordPress) scans for injected files, modified core files, and suspicious redirects. This matters because CMS platforms are the main target — Sucuri reported the vast majority of infected sites it cleaned were CMS-based, led by WordPress (Sucuri, 2023). Write down everything the scan finds; you'll reference it in your review request.
How do I remove "This site may be hacked" content?
Remove every injected page and file, then close the security hole that let the attacker in. The order matters: clean first, harden second, request review last. Skipping the hardening step is the top reason warnings come back — Google re-scans when you request a review, and any leftover spam means an instant re-flag.
Clean out the injected content
Work through the URLs from Search Console and your scan results. Delete injected spam pages, remove malicious redirects, and clean modified files. If you use a security plugin, its cleanup feature can quarantine or remove injected files automatically. The goal is simple: zero pages, scripts, or redirects you didn't create.
Harden so it doesn't return
Now close the door. Most compromises trace back to outdated plugins, themes, or weak credentials, with the bulk of CMS vulnerabilities coming from third-party extensions rather than core software (Patchstack, 2024). Run through this checklist:
- Update everything — CMS core, every plugin, and every theme.
- Delete unused plugins and themes — dormant code still gets exploited.
- Reset all passwords — admin, hosting, FTP, and database.
- Enable two-factor authentication on every admin account.
- Remove pirated ("nulled") plugins — a frequent malware source.
How WordPress owners should approach removal
If you're on WordPress specifically — which powers around 43% of all websites (W3Techs, 2025) — the cleanup steps map directly onto your dashboard. Use a security plugin to scan and clean, check the Users list for unknown admin accounts, and update everything. Our step-by-step walkthrough for removing the hacked warning on WordPress covers the exact clicks.
How do I request a Google review to clear the warning?
Once your site is fully clean, request a review in Google Search Console — this is the only official way to remove the label, and it's entirely manual. Open the Security Issues report, confirm you've fixed each listed problem, and click Request Review with a short note describing what you cleaned. There's no API and no button that clears it instantly.
Google re-crawls on its own schedule. For a properly cleaned site, the label typically clears within a few days, though Google doesn't promise a fixed timeframe. The single biggest mistake is requesting the review too early — if Google's re-scan finds any remaining injected content, it keeps the warning and you wait again. Be thorough before you submit.
We walk through the exact Search Console steps in our guide to removing your site from Google Safe Browsing. Because the review is manual, no tool — ours included — can submit it for you; you confirm the cleanup yourself inside your own Search Console account.
What if other security vendors flagged my site too?
A hacked site is rarely flagged by Google alone. Once injected spam appears, multiple blocklists — McAfee, Norton, Sucuri, Yandex, and others — can pick it up independently, each with its own separate review process. Google Safe Browsing alone shows tens of thousands of new unsafe sites per week (Google Transparency Report, 2024), and the vendor ecosystem mirrors and amplifies those signals.
This is where things get tedious. After cleaning, you'd normally hunt down each vendor's removal form or contact address by hand and submit a request to every one. Start by confirming the full list — you can check your domain against the major blocklists for free to see exactly who's flagging you.
In our experience running unflag, many owners clear Google, breathe a sigh of relief, and never realize other vendors still list them — quietly blocking email deliverability and corporate web filters for months. Our catalog tracks 124 active vendors (78 antivirus engines, 38 web blocklists, and a handful of RBL and search-engine sources), and it's common for a single hacked domain to be flagged by several at once. Clearing Google is necessary but rarely sufficient.
Rather than chase every form yourself, you can have unflagdomain email a removal request to every flagging vendor for a one-time €39. In our own dispatch process, each email is written uniquely per vendor — varied so they don't read as identical spam — and sent sequentially over a randomized window of roughly an hour, with your own address as the reply-to so responses come straight to you. Vendors that only take a web form (like AVG or ESET) or a manual review (like Google Safe Browsing) become guided dashboard cards instead, since there's no inbox to email. To be clear: we don't scan or clean your site — this guide is the cleanup, and you do that first — and no one can guarantee a vendor will delist. What we guarantee is dispatch: the request reaches every emailable vendor, your dashboard shows real sent, bounced, and failed counts per vendor, and we re-send on a bounce.
One quick note on false positives: if you believe a vendor flagged your clean website or URL by mistake, you can request removal the same way. This applies to website and URL flags only — a flagged downloadable file or EXE is a different process and outside what we handle.
Conclusion: clearing the label, step by step
"This site may be hacked" is a fixable problem, not a permanent stain. It means Google found injected spam pages — usually from an outdated plugin or weak password — and it's warning searchers while keeping your site reachable. The path out is consistent: find the injected content in Search Console and via a site: search, remove every piece of it, harden your logins and software, then request a manual review.
Don't rush the review. A clean, hardened site usually clears within days, but a half-finished cleanup just resets the clock. And remember Google is often only one of several vendors flagging you — confirm the full list and clear them all. For the bigger picture on what to do the moment your site gets flagged anywhere, see our guide on what to do when your website is flagged as dangerous.
No. The "This site may be hacked" label sits under your search result, and visitors can still click through to your site. It's a warning that Google found injected spam pages. A full red "Deceptive site ahead" screen blocks the page entirely — that's a stronger, separate Safe Browsing warning.
After you fully clean your site and request a review in Google Search Console, the label typically clears within a few days for a properly cleaned site. Google doesn't promise a fixed timeframe and re-crawls on its own schedule. Requesting the review before the cleanup is complete just resets the wait.
Injected spam pages are usually hidden from regular visitors and served only to search engine crawlers or specific referrers. Your homepage can look perfectly fine while dozens of spam pages exist under your domain. Search Google for site:yourdomain.com to reveal pages you never created.
Scan with a security plugin like Wordfence or Sucuri, remove injected files and unknown admin users, then update every plugin, theme, and WordPress core. Reset all passwords and enable two-factor authentication. Finally, request a review in Google Search Console. Most WordPress flaws come from outdated third-party plugins and themes.
No. Requesting a review through the Security Issues report in Google Search Console is the only official way to remove the "This site may be hacked" label. The review is manual — there's no API or automated tool that can submit it. You confirm the cleanup yourself inside your own Search Console account.