sfw/fix
This site may be hacked high

Google "This site may be hacked" label in search results

Google found injected spam or compromised pages and stamps a warning under your search result until you clean it and pass review.

What you see

This site may be hacked.

What’s actually happening

Your normal result still shows in Google, but a gray "This site may be hacked" line sits right under the title. There's no red interstitial and no block — clicking through still loads the page. Traffic from search craters anyway because almost nobody clicks a result Google says is hacked. In Search Console you'll see a Security Issues report flagging "Hacked: content injection" or similar.

Common causes

  • A vulnerable plugin or theme got exploited and the attacker injected spam pages (pharma, replica goods, gambling) that Google then crawled and indexed.
  • Cloaking code that serves spam HTML to Googlebot but the normal page to logged-in admins, so you don't see it in a browser.
  • Injected links or hidden <div> spam in the footer, header, or post content pulled from the database.
  • A backdoor in wp-content/uploads or a fake core file (e.g. wp-vcd.php, class-wp-xyz.php) re-infecting after you clean once.
  • Stolen FTP/SFTP or wp-admin credentials used to upload content directly.

How to fix it

  1. Confirm scope in Search ConsoleOpen Search Console > Security Issues. Use the sample URLs Google lists. Fetch them with curl -A "Googlebot" https://example.com/badpage to see the cloaked spam Googlebot sees — a normal browser request often returns a clean 404 or your real page.
  2. Find and remove the injectionSearch the DB for spam: wp post list or a SQL grep for terms like "viagra", "<script", base64_decode. Scan files for recently modified PHP: find . -name '*.php' -mtime -14. Diff core against a fresh WordPress download. Delete injected pages, backdoors, and any unknown PHP in uploads.
  3. Close the entry point and rotate secretsUpdate WordPress core, every plugin, and theme. Delete nulled or abandoned plugins. Reset all admin passwords, force-logout sessions, change DB password and salts in wp-config.php, and rotate FTP/SFTP/hosting credentials.
  4. Verify it's actually gone, then request reviewRe-fetch the sample URLs as Googlebot and confirm clean output. In Search Console > Security Issues, check "I have fixed these issues" and click Request Review. Add a short note of what you removed. Clearance typically takes a few days to a couple of weeks.

Stop it recurring

Keep core/plugins/themes patched, drop nulled plugins, and run file-integrity monitoring so re-infection trips an alert before Googlebot recrawls.

Related errors

Norton Safe Web "Norton blocked this dangerous web page"

medium

Norton's Safe Web reputation engine rated your URL malicious or phishing and blocks every visitor who has Norton installed.

Google Safe Browsing "Deceptive site ahead" warning

critical

Google Safe Browsing flagged the site for phishing or malware, so Chrome shows a full red interstitial before the page loads.

IP listed on Spamhaus blocklist (DNSBL)

high

Your sending IP is on a Spamhaus DNSBL as a spam source or compromised host, so receiving mail servers reject your messages.

Microsoft Defender SmartScreen "This site has been reported as unsafe"

high

Your URL matched Microsoft's reported-sites list, so Edge blocks the page with a SmartScreen interstitial before it loads.