Got a ‘You’re Hacked’ Email?
How to tell if a scary security email is real or a scam—and what to do either way.
What this covers: How to verify whether a “your site is hacked” email is a scam or real threat, red flags to watch for, free external and WordPress security scans to run, signs of actual compromise, and next steps for both outcomes.
Who it’s for: Site owners who received an alarming security email and need to quickly determine if the threat is real before taking action.
Key outcome: You’ll know whether the email is legitimate, have run security scans to verify your site’s status, and have a clear action plan for cleanup if something is actually wrong.
Time to read: 5 minutes
Part of: Security & Infrastructure series
You just got an alarming email claiming your website has been hacked, infected with malware, or flagged by Google. Your heart rate spikes. Before you panic (or pay someone to “fix” it), let’s verify if the threat is real.
This guide covers: How to spot scam emails, verify real threats, run quick security scans, and know when to escalate to full recovery mode.
First: Is the Email Even Real?
Scammers send millions of fake “your site is hacked” emails to sell bogus security services. Before doing anything else, verify the source.
Red Flags of Scam Emails
- Generic greeting: “Dear Website Owner” instead of your actual name
- Lookalike domains: “google-security.com” or “gogle.com” instead of google.com
- Urgency + payment: “Pay $299 immediately to remove malware”
- Suspicious links: Hover over links—do they go where they claim?
- No specific details: Real alerts name the specific file, URL, or issue
How to Verify Legitimately
Don’t click links in the email. Instead, go directly to these sources:
- Open Google Search Console directly (not via email link)
- Check Security & Manual Actions → Security Issues
- If Google found something, it’ll be there. If not, the email was likely fake.
Run a Quick Security Scan
Whether the email was real or you just want peace of mind, run these free scans:
External Scanners (No Login Required)
- Sucuri SiteCheck – Free malware and blacklist scan
- Google Safe Browsing – Check if Google has flagged your site
- VirusTotal – Checks against 70+ security databases
These catch obvious problems. For deeper scanning, you’ll need WordPress access.
WordPress Security Scan
Plugin: Install Wordfence (free) and run a full scan.
Go to: WordPress Admin → Wordfence → Scan → Start New Scan
Wordfence checks for:
- Malware in your files
- Modified core WordPress files
- Suspicious code patterns
- Known vulnerabilities in plugins/themes
Signs Your Site Is Actually Compromised
Even if scans come up clean, watch for these symptoms:
- Unknown admin users: Go to Users → All Users. Recognize everyone?
- Plugins you didn’t install: Check for unfamiliar plugins, especially recently installed
- Spam content: Search your site for pharmacy, casino, or adult keywords
- Mysterious redirects: Site redirects to another domain (often only on mobile or from Google)
- Sluggish performance: Crypto miners and spam bots eat server resources
- Strange files: Unknown .php files in your root directory or wp-content
What to Do Next
If Scans Are Clean
The email was likely:
- A scam trying to sell you services (most common)
- A false positive or outdated alert
- About a different domain (double-check the URL in the email)
- An old issue your host already fixed
Action: Use this as a wake-up call. Set up two-factor authentication and automated backups now, while you’re thinking about it.
If You Found Something
Don’t panic—but do act quickly.
- Change all passwords immediately: WordPress admin, hosting, FTP, database
- Take the site offline if it’s actively harming visitors (redirects to malware, serving spam)
- Follow our full recovery guide: Recover a Hacked WordPress Site
The recovery guide walks you through cleanup, restoration, and requesting a review from Google once you’re clean.
Sources
Hacked Email Questions Answered
How do I tell if a “your site is hacked” email is a scam?
Check for these red flags: demands for Bitcoin payment, vague technical claims without specifics, urgency pressure (“act in 24 hours”), and sender addresses that don’t match any security vendor. Legitimate security notifications cite specific files, URLs, or vulnerability names.
What free tools can I use to check if my site is actually hacked?
Run your URL through Sucuri SiteCheck (sitecheck.sucuri.net), Google Safe Browsing Transparency Report, and VirusTotal. Inside WordPress, install Wordfence and run a full malware scan. Check Google Search Console for security issues under the Security & Manual Actions tab.
My site is actually hacked—what do I do first?
Change all passwords immediately (WordPress admin, hosting, FTP, database). Then take a backup of the infected site for forensic reference. Contact your host—many offer free malware removal or can restore from a clean backup. Do not delete files until you’ve identified the infection source.
Can I prevent hacked-site scam emails?
No. Scammers scrape publicly available contact information from WHOIS records and website footers. Enable WHOIS privacy on your domain and avoid publishing admin email addresses on your site to reduce volume.
✓ The Post-Recovery Security Checklist
- You’ve verified the email source (real Google vs scammer)
- Sucuri SiteCheck and Google Safe Browsing show no issues
- Wordfence scan completes with no critical findings
- You’ve checked Users list and don’t see strangers
If anything looked wrong: Head to Recover a Hacked WordPress Site for full cleanup steps.