Question: I just found out that my site is being flagged on Google’s search engine results page with the message “This site may be hacked”. What does it mean?
Answer: This is a good question and one we see often from our clients. We see it so often that we decided to do a series on each type of blacklist warnings that show up on search engines. These are the warnings that we will cover in this series:
- Part 1: Google ‘This Site May Be Compromised’
- Part 1: Google ‘This Site May Be hacked’
- Part 2: Google ‘This site May harm your computer’
- Part 2: Google ‘Visiting this site may harm your computer’
- Part 3: Bing ‘The link to this site is disabled because it might download malicious
software that can harm your computer’
The first two warnings, “This Site May be Compromised” or “This Site May be Hacked” are actually the same thing. Google used to say “Compromised” but recently switched to using the term “Hacked”. It was likely to avoid confusion with nontechnical webmasters. This is how the warning shows up on Google:
What this warning means?
This warning means that Google detected some suspicious links or pages in your site that are not malware related in a way that would infect your users, but they still should not be there.
We see this often on websites that got hacked with hidden spam pages to sell things like Viagra products or casino ads. We also see it often on sites that have been defaced or had phishing pages added to them. Those pages are generally not linked from the main site, and are often used in email spam campaigns.
For example, a bad guy hacks into a site and creates a folder called “/bankofamerica/signup”. He then emails thousands of people with links to this site, pointing them to that URL he created with the Bank of American phishing campaign. That page is not linked and only the people that got the email would know it is there. And the same applies to the spam pages.
This is the official explanation from Google about the warning:
To protect the safety of our users, we show this warning message for search results that we believe may have been hacked or otherwise compromised. If a site has been hacked, it typically means that a third party has taken control of the site without the owner’s permission. Hackers may change the content of a page, add new links on a page, or add new pages to the site. The intent can include phishing (tricking users into sharing personal and credit card information) or spamming (violating search engine quality guidelines to rank pages more highly than they should rank).
This warning is also not present on Google’s SafeBrowsing API, so the only way to find out that your site has this flag is to search on Google for your own site. If you search for “site:mysite.com” it should show if you have this warning or not.
SiteCheck
Because this type of warning is not passed to Google’s SafeBrowsing API, our free SiteCheck will not list it under the “Blacklist” checks. It may still detect the spam or defacement added to the site, but it will not flag the blacklist status.
Note: Our team will still be able to clean it up under any of our plans, despite SiteCheck not flagging it.
Clean up
The first step is to actually get your site cleaned and the malicious pages removed. We have many guides that explain how to clean your site and you can follow any one of them:
- Cleaning Up Your WordPress Site with the Free Sucuri Plugin
- Website Malware Removal – WordPress Tips & Tricks
- Cleaning up an infected website – Part I: WordPress and the Pharma Hack
These are just some examples for WordPress. Once your site is cleaned, and you verified (at least on SiteCheck), you should be safe to request the review on Google’s end. It will take a few days before they reply with the final verdict.
Conclusion
And that’s it for the PART I. If you have additional questions, or other blacklist warnings that you want explained, let us know.
If you have any questions about malware, blacklisting, or security in general, send them to us: [email protected] and we will answer here. For all the “Ask Sucuri” answers, go here.
Leave a reply
