This Site May Be Hacked: How to Remove Google's Label

By · Updated · 6 min read

The “This site may be hacked” notice under your Google search listing means Google’s crawlers found signs of injected spam or unauthorized changes on your site: new pages you didn’t create, hidden links, or content that changes depending on who’s looking. It is removed by cleaning the hacked content and letting Google recrawl, or by requesting a review in Search Console if a hacked-content issue is listed there. Most sites see the label drop within days to a couple of weeks after a genuine cleanup.

First, let’s make sure we’re talking about the same warning, because Google has two and people mix them up constantly. This one is the small gray line under a normal blue search result. Your site still loads fine when people click. The other one is the full red screen in the browser, and that’s a Safe Browsing flag with its own process, which I cover in my guide to the “Deceptive site ahead” warnings. Red screen: browsers block visitors. Gray label: searchers see a warning and most of them quietly pick the result below yours.

Either way you’re losing clicks by the hour, so let’s work the problem.

What triggers the label?

Google adds “This site may be hacked” when its systems detect what they call hacked content: spam that an attacker planted on an otherwise legitimate site. On the WordPress sites I clean, the usual suspects are a few thousand auto-generated spam pages sitting in the index (pharma, replica watches, essay services, or Japanese product spam), spammy keywords stuffed invisibly into existing pages, or redirects that only fire for visitors coming from Google.

The sneaky part is cloaking. The hacked pages often show themselves only to Googlebot, or only to visitors with a Google referrer, while you, the owner, see a perfectly normal site. I’ve had clients swear their site was fine because they clicked every menu item and found nothing. They were right, and so was Google. The spam was real; it just wasn’t being served to them.

How do I see what Google sees?

Three checks, in order of effort:

  • Search site:yourdomain.com on Google and page through the results. Titles in Japanese, pharmacy terms, or URLs you don’t recognize (things like /shopdetail/, /item/, or long gibberish paths) are the hack showing itself.
  • Open Search Console and check Security Issues. If Google lists a hacked-content detection, you’ll get the type (content injection, code injection, or URL injection) plus sample URLs to inspect.
  • Run the sample URLs through the URL Inspection tool and look at the rendered HTML. That shows you the page as Googlebot fetched it, cloaking and all.

If Search Console shows nothing but the label persists, the detection may predate your verification, or it may sit on a subdomain. Verify the domain property, not just the www version, so nothing hides from you. My free site check is another quick outside opinion.

Cleaning it up properly

The label comes off when the hacked content is gone and Google trusts that it stays gone. That means removing the injected pages and keywords, and also the mechanism that created them, which is usually a backdoor file or a compromised plugin. Delete only the visible spam and it regrows in a week, often before Google even finishes recrawling. I’ve written a full walkthrough in how to remove malware from a hacked WordPress site if you want the complete process.

Once the spam pages are removed, make sure they return a proper 404 or 410 status rather than redirecting to your homepage. Google needs to see those URLs die. Redirecting thousands of spam URLs to your front page keeps them alive in the index and, worse, associates your homepage with them.

Requesting the review

If Security Issues lists a hacked-content problem, there’s a Request Review button once you’ve cleaned up. Be specific in the request. Two or three plain sentences beat a paragraph of promises: what you found, what you removed, and how you closed the hole. Something like: “Site was compromised through an outdated plugin. Removed injected spam pages under /item/ and the uploaded backdoor in wp-content/uploads, updated all plugins, rotated all passwords.” Google’s reviewers see thousands of these; make yours easy to approve.

Hacked-content reviews are slower than malware reviews. Some clear in a couple of days. Others take two weeks or so, and there’s no way to pay or plead your way up the queue. If no issue is listed in Search Console, there’s nothing to review; the label simply falls off as Google recrawls the cleaned pages, and you can speed that along by resubmitting your sitemap and requesting indexing on the formerly spammy URLs.

How long until the label disappears?

Plan on days, not hours. With a listed security issue and an approved review, the label typically drops shortly after approval. Without one, it fades as recrawling catches up, which on a small site can take one to three weeks. What actually determines the timeline is the quality of your cleanup. Every reinfection resets the clock and burns a little more trust.

While you wait, check whether the hack landed you on any of the other blocklists that antivirus tools and browsers use. It often does, and each list has its own removal path. My free blacklist checker tests dozens of them in one shot.

Does the label hurt my rankings too?

The label itself is a warning to searchers, not a ranking penalty. But the hack behind it does real ranking damage while it sits there: spam pages dilute your site in the index, and searchers skipping your result teaches Google your listing isn’t satisfying anyone. Sites that clean up quickly usually recover their positions within a few weeks. I’ve broken down the whole rankings side in what a hack does to your SEO.

One last thing before you close Search Console: set yourself up to hear about the next problem from Google instead of from a customer. Make sure email notifications are on for your verified property, because Google emails you when a security issue is detected, and that message routinely sits unread in an inbox nobody checks while the label does its damage for weeks. On cleanups I regularly find the original warning email from Google, months old, sent to the web designer who built the site in 2019 and moved on. Verify the property with an address someone actually reads. It costs nothing and it turns this whole ordeal from a surprise into a to-do item.

If you’d rather have a person handle this instead of learning Search Console forensics under pressure, that’s literally my job. I find the spam, remove it, close the entry point, and write the review request myself. Start here and I’ll take it from there.

Common questions

What does this site may be hacked mean in Google?

It means Google detected content on your site that an attacker likely planted, such as spam pages, hidden keywords, or redirects that only affect search visitors. It is a warning label on your search listing, not a browser block. Your site still loads when clicked, but most searchers avoid results carrying the label.

How do I remove the this site may be hacked message?

Clean out the injected spam and the backdoor that created it, make the spam URLs return 404 or 410, then request a review under Security Issues in Search Console if an issue is listed there. If nothing is listed, the label drops on its own as Google recrawls your cleaned site, usually within one to three weeks.

Why does Google say my site is hacked when it looks fine to me?

Because the hack is probably cloaked. A lot of injected spam serves itself only to Googlebot or to visitors arriving from Google search, while showing the normal site to everyone else, especially the logged-in owner. Checking a site:yourdomain.com search and the URL Inspection tool shows you what Google is actually seeing.

How long does it take Google to remove the hacked site label?

With a listed security issue and an approved review, typically a few days to two weeks. Without a listed issue, the label fades as Google recrawls the cleaned pages, which usually takes one to three weeks. Incomplete cleanups are the main cause of longer waits, since every reinfection restarts the process.

Is this site may be hacked the same as the red deceptive site ahead screen?

No. The gray label appears under your search listing and warns searchers, while the red screen is a Safe Browsing block that stops visitors in the browser itself. They come from different Google systems and clear through different processes, though a badly hacked site can earn both at once.