How long does it take for Google to remove the "this site may be hacked" warning after I request a review?

Google typically processes hacked-site reviews within 1–3 days. Safe Browsing cache can take an additional 24–72 hours to propagate, so the warning may linger in search results slightly longer than the review itself takes.

Can I request a Google review before the site is fully clean?

You can, but you shouldn't. If Google's review finds the infection still present, you'll receive a failed review notice and need to wait before requesting again. Each failed request adds delay. Clean first, verify with URL Inspection, then request.

Will the "this site may be hacked" warning hurt my Google rankings permanently?

Not permanently. The label suppresses clicks and can trigger ranking drops while active, but once Google confirms the site is clean and lifts the flag, rankings typically recover within a few weeks — sometimes faster if the infection was short-lived.

My site looks fine to me. Why did Google flag it?

Attackers frequently use cloaking — serving clean pages to logged-in admins and to direct visitors, while showing spam content only to Googlebot and logged-out users. Use Google Search Console's "Test Live URL" feature to see exactly what Googlebot sees, which will often reveal injected content invisible to you during normal browsing.

How to Remove Google's "This Site May Be Hacked" Warning

When Google displays "This site may be hacked" beneath your search result, it means their automated systems found evidence of compromise — injected spam pages, hidden redirects, or malicious code — and are actively warning visitors away. The warning disappears only after you clean the site and submit a review request through Google Search Console. Most site owners can work through this in a single focused session, but the cleanup has to be thorough — a partial clean gets you flagged again within days.

What the Warning Actually Means

Google's Safe Browsing system scans the web continuously. When it spots signs of a compromised site — spam doorway pages, keyword-stuffed gibberish, malicious JavaScript, or cloaked redirects — it tags the domain and surfaces that tag in Search results. There are two closely related labels you might see:

"This site may be hacked" — typically indicates injected spam content or new pages created by an attacker.
"This site may harm your computer" (or a full red interstitial in Chrome) — indicates malware being actively served to visitors. Slightly different process, same cleanup logic.

The label lives in your Search Console account under Security & Manual Actions → Security Issues. That panel is your source of truth — it often tells you exactly which URLs Google flagged, which is your first diagnostic clue.

Before You Start: Back Up What You Have

It sounds counterintuitive to back up a hacked site, but you need a snapshot of the current state before you change anything. Some cleaning steps are irreversible, and if something goes wrong mid-cleanup, you need a way to get back. Use your host's snapshot tool or a plugin like UpdraftPlus to grab a full backup — files and database — and store it somewhere off-server. Label it clearly so you don't accidentally restore from it later.

Step 1 — Understand the Scope Before You Touch Anything

Attackers rarely hit just one file. Before deleting anything, map the damage:

Open Google Search Console → Security Issues. Copy every flagged URL into a text file.
Run a site search in Google: site:yourdomain.com. Scroll through the results looking for pages you didn't create — casino keywords, pharma terms, foreign-language doorway pages.
Use Google's URL Inspection tool on your homepage and a flagged URL. Click "Test Live URL" — this shows you what Googlebot actually sees, including any cloaked content that's hidden from logged-in admins.
Check your hosting file manager or SFTP for recently modified files. Sort /wp-content/ and /wp-includes/ by modification date. Files changed in the last 30–90 days that you didn't touch are suspects.

Step 2 — Lock Down Access Immediately

While the attacker's entry point is still open, anything you clean will be re-infected. Close the door first:

Reset all passwords — WordPress admin accounts, FTP/SFTP, hosting control panel, and your database user in wp-config.php. Use a password manager and generate unique 20+ character passwords.
Audit user accounts in WordPress (Users → All Users). Delete any administrator accounts you don't recognise. Attackers frequently create ghost admin users to maintain persistence.
Regenerate WordPress security keys in wp-config.php. Visit the WordPress salt generator, paste the new keys in, and save. This invalidates all existing sessions and forces everyone out.
Check your hosting account for unauthorised FTP/SFTP sub-accounts and remove them.

Step 3 — Run a Malware Scan

Install a reputable scanner. Wordfence Security (free tier) and MalCare are the two most commonly used tools for this. Run a full scan and let it complete — don't skip files. Pay attention to:

Modified core WordPress files (Wordfence can diff them against the official release)
PHP files in /wp-content/uploads/ — uploads should never contain executable PHP
Obfuscated code: strings like eval(base64_decode(...)) or gzinflate in theme/plugin files
Injected <script> tags or iframe calls in theme template files

A scanner finds the symptoms. You still need to find the entry point — usually a vulnerable plugin, a nulled theme, weak credentials, or an abandoned staging environment on the same hosting account.

Step 4 — Clean the Infection

Work through these areas systematically:

WordPress Core

Go to Dashboard → Updates and click "Re-install version X.X.X". This overwrites every core file with a clean copy without touching your content. Alternatively, download the matching version from wordpress.org and upload it via SFTP, overwriting everything except wp-content/ and wp-config.php.

Plugins and Themes

Deactivate every plugin, then delete and reinstall each one from the official repository or a legitimate purchase source. Do the same for themes. Never reinstall a nulled or pirated theme — that's likely how you got here. If a plugin is abandoned (no updates in 2+ years), replace it with a maintained alternative.

Database

Attackers frequently inject spam links or JavaScript into post content, widget options, or the wp_options table. In phpMyAdmin, search the wp_posts and wp_options tables for suspicious strings — pharma keywords, hidden links, or base64 blobs. The Wordfence scanner will flag some of these, but a manual spot-check is worth doing on the siteurl, home, and any active widget options.

The .htaccess File

Download your .htaccess file and inspect it. A clean WordPress default is short — a few lines around # BEGIN WordPress. Anything that redirects mobile users, bots, or referrers to a different domain is malicious. Replace it with the standard WordPress .htaccess if in doubt.

Step 5 — Verify, Then Request a Google Review

Before you request a review, make sure the site is actually clean:

Use URL Inspection in Search Console to "Test Live URL" on every page Google flagged. The rendered HTML should look normal.
Browse your site while logged out, and from a private browser window — attackers often show clean pages to logged-in admins and dirty pages to everyone else.
Run your domain through Google's Safe Browsing site status checker.

Once you're confident the site is clean, go to Search Console → Security Issues, check the "I have fixed these issues" box, and click Request a Review. Write a short, honest description of what you found, what you removed, and what you changed to prevent recurrence. Google's review typically takes 1–3 days for the "hacked" label and up to 72 hours for Safe Browsing to update. Your Search result listing should clear shortly after the review passes.

How to Prevent This Happening Again

Keep everything updated. The majority of WordPress compromises exploit known vulnerabilities in outdated plugins and themes. Enable auto-updates for minor releases at minimum.
Use a web application firewall (WAF). Wordfence, Cloudflare, or your host's WAF blocks most exploit attempts before they reach WordPress.
Two-factor authentication on all admin accounts. A stolen password alone can't log an attacker in.
Regular off-site backups with tested restores. Knowing you can restore cleanly in 20 minutes makes every security incident far less stressful.
Remove what you don't use. Inactive plugins and themes are attack surface. Delete them, don't just deactivate.

For a broader look at the hardening steps that have the highest actual impact, see our guide on WordPress security hardening.

When to Call a Professional

Manual cleanup works when the infection is straightforward. Call in a professional when:

You've cleaned the site and Google re-flags it within a week — the entry point is still open.
You can see flagged URLs in Search Console but can't find the corresponding files or database records.
Your host has suspended the account due to malware, and you need to negotiate restoration alongside cleanup.
You're not comfortable with SFTP, phpMyAdmin, or editing wp-config.php — one wrong move can take the site offline entirely.
The site is business-critical and every hour offline costs real money.

If any of those fit your situation, Mend's Emergency Rescue is built exactly for this. A senior engineer takes over, works backup-first, cleans the infection at the root cause, and submits the Search Console review on your behalf — most sites are clean and back in front of Google the same day. You get a plain-English report of exactly what was compromised and what changed. If it's not fixed, you pay nothing.

Not sure of the scope yet? Start with a free Diagnosis — no card required, and you'll get a clear picture of what you're dealing with and a flat price before any work begins.

For related reading on what to do when your site is actively serving malware to visitors, see our full guide: WordPress Site Hacked? Here's How to Clean It Up — Safely.