My website was hacked and now Google shows a warning
Someone hacked my WordPress site and now when people visit they get a "This site may be hacked" warning from Google. I cleaned up the malware files but the warning is still there. How do I get it removed?
1 Answer(s)
Cleaning the files is only half the battle. Here's exactly how to get the warning removed.
First, go to Google Search Console and navigate to Security & Manual Actions. Click on "Security Issues" and you'll see the specific pages flagged. Google will tell you exactly what they found (usually injected JavaScript or iframes).
Second, use the "Request Review" button in Search Console. But before you do that, make sure you've done everything on this checklist: remove all malware code, change ALL passwords (wp-admin, FTP, database, hosting), update WordPress core, all themes, and all plugins to the latest versions, and remove any user accounts you don't recognize.
Third, install a security plugin like Wordfence or Sucuri. They have firewalls that prevent re-infection. Also enable two-factor authentication on your WordPress admin.
After you request a review, it usually takes 24-72 hours for Google to recrawl your site and remove the warning. If it's been longer than a week, request another review. Be persistent — Google sometimes needs 2-3 review requests.