How To Remove ‘Deceptive Site Ahead’ Warning?

Nov 29, 2020

by

How To Remove ‘Deceptive Site Ahead’ Warning?

Nov 29, 2020

by

The deceptive website warning appears when hackers get into your website and upload malware on it. Google doesn’t want any of its web users to go to your site and spread the malware any further.

So, Google Safe Browsing hits your site with a ‘deceptive site ahead‘ warning (warning message in red screen).

Now, the notice on the Google Chrome browser seems to be the worst part about this entire ordeal, right?

But the reality is that almost every web browser under the sun uses Google Safe Browsing as well. So, if you’re seeing the notice on Chrome, you’re going to see it when trying to load your site on Safari, Firefox, Vivaldi, and even GNOME web browsers.

You can resolve the issue, but you need to act quickly in finding and removing the root cause of the notice, and then getting your pages reindexed on Google.

If this sounds technical or intimidating, don’t worry. We’re here to help.

TL;DR

To remove the deceptive site notice, you’ll have to first remove the malware on your site. Then, submit a review request at Google Search Console to delete the notice. In 1-3 days, Google will update the status and remove the deceptive site warning.

And some frequently asked questions including what to do after you secure your website.

Let’s dive in.

What is Deceptive Site Ahead Warning?

Before we try to bypass the deceptive site ahead warning on your website in the Search Results, let’s try and understand what it means.

Deceptive site ahead is a warning message that visitors find when trying to visit an unsafe site (compromised by attackers) on google chrome browser. If Google detects that your website is infected with malware or contains social engineering content (or phishing), the chrome browser may display a deceptive website warning to halt the visitors from accessing the site.

Deceptive Site Ahead Warning

In other words, the “Deceptive Site Ahead” warning is an extension of the Google blacklist.

Now, seeing as there are different types of malware attacks, Google also uses different notifications to deal with each situation. You may also see a “reported phishing website ahead” warning on your site instead.

Let’s simplify. The 2 main reasons why Google flagged your website with deceptive site ahead warnings are:

  • Phishing scams
  • Malware infections

Over the course of this article, we’ll cover exactly how to handle each situation in the simplest possible way. Let’s get started.

How to Confirm If Your Website Shows Deceptive Site Ahead Message?

It’s quite possible that you don’t see the Google Chrome browser warning for “Deceptive Site Ahead” when you search for your website.

In fact, many business owners are alerted by their regular customers or a third party about the warning message. This is the worst possible way to find out because your customers are risking their personal information with you.

So, let’s take 5 minutes to confirm if your website really has a Google Chrome deceptive site ahead warning. There are 5 ways to do that and they only take a minute or so of your time:

  • Visit your website from another computer
  • Use incognito mode to visit your website
  • Check your email for a security notification from Google Search Console
  • Check Google Safe Browsing for a warning message
  • Check Google Search Console for security notifications

The first and second methods are usually enough to verify. The other three methods are due diligence. If you find the evidence that you’re looking for using the first two methods, you can simply skip ahead to the next segment on how to remove the message.

Check Google Safe Browsing for a Deceptive Site Ahead Warning

If your website’s content has a deceptive website notice on it you will get a notification from Google Search Console.

But what if your Search Console is not set up?

Setting it up correctly, uploading the sitemap, and waiting for Google to analyze the links can take a while. So, the simpler solution is to head over to Google Safe Browsing and check for a deceptive website warning.

safe browsing site status

The only problem is that Google Safe Browsing doesn’t analyze the extent of the damage caused to your website or tell you how to bypass the deceptive site ahead warning.

Check Google Search Console for security notifications

On your Google Search Console, head over to the Security Issues tab:

Check Google Search Console, Security issues tab for details on Deceptive site ahead warning

Go to the infected pages:

google search console malware

This will give you a list of all the affected pages and can help you narrow down the list of actions you’ll need to take next to assess the damage done to your website.

Steps to confirm google chrome deceptive site ahead warning

Why Your Site Has a Deceptive Site Ahead Warning?

Google’s search engine thrives because it provides relevant, helpful results to search queries. If those results started spreading some virus or malware across the internet, then that would cripple their business. That’s exactly why Google Safe Browsing flags your website if you have malware on it.

We’ve been in the WordPress security business for a long time now, and the most likely reason why your website has a “Deceptive Site Ahead” warning is a malware infection. 

Malware-infected websites are used to spread viruses, keyloggers, and trojans to other devices. They can also be used to facilitate other hacks and malicious attacks. Ultimately, they are used to steal critical data, like login credentials and financial information. 

These are some of the typical infections we have seen that trigger the deceptive site ahead warning: 

  • Phishing is a social engineering attack, which means the hacker has set up a seemingly official webpage to hoodwink a user into willingly giving up their information like credit cards, phone number and email. This is the biggest reason a website is flagged as deceptive, even though Google Safe Browsing has a warning dedicated to flagging phishing websites. 
  • Embedded social engineering content can promote malicious links and illicit business, usually in the form of ads or popups. But they can also redirect your web users to a malicious phishing website. Quite often, this embedded content is hidden from administrators, so only visitors see them. 
  • WordPress XSS attacks can exploit vulnerabilities in your website, plugins and themes to insert malicious JavaScript into your frontend or backend code.  
  • SQL injection attacks can be used to infiltrate, modify, and destroy a website’s database. It can also be used to send a copy of the entire database to the hacker.
  • Incorrect installation of your SSL certificate can sometimes cause the warning to be shown, because your website now effectively has content showing up from 2 separate websites: the HTTPS one and the HTTP one. This is more commonly known as the mixed content warning, as Google treats HTTP and HTTPS websites as separate entities. As proper SSL certificate installation is necessary, you can follow this redirect http to https guide

The worst part? None of these attacks require the user to do anything at all. Google will flag your site for trying to load malicious scripts and ads.

In addition to malware infections, Google will also flag your website if, as they phrase is, have “insufficiently labeled third-party services”. What this Google-speak means is that if you are operating a website on behalf of some other entity but you have not spelled that out clearly on your website, your content can be considered deceptive. 

Note: It is good practice to use industry standard services for things like authentication or payment gateways. The reason is that these services are established and follow good security practices.

How to Remove Deceptive Site Ahead Warning?

By now you should know if your website has a Google Chrome deceptive site ahead notice or not and exactly why you’re seeing it on your website.

It’s time to fix the deceptive site ahead warning from your website once and for all.

And we’re going to do it in 4 steps:

  • Step 1: Assess the damage done to your website
  • Step 2: Remove the malware
  • Step 3: Submit A Review Request
  • Step 4: Prevent future attacks

That’s a lot of work, let’s get straight to it.

Step 1: Assess the Damage Done to Your Website

Go back to the Google Search Console and head to the Security Issues tab and click on the infected pages section. If you followed along with the article so far, you should already know how to do it. If not, take a look at the previous section.

Click on ‘Learn More’ in the ‘Detected Issues’ section and understand where the infection is:

  • On a page? (Eg.: blog.example.com/pages/page1.php)
  • In a group of pages? (Eg.: blog.example.com/pages/)
  • In a post? (Eg.: blog.example.com/post1/)
  • In the entire blog? (Eg.: blog.example.com/)
  • In the whole domain or subdomain? (Eg.: example.com)

hacked content injection search console
Image credit: Google

In the screenshot above, you can see that the infection is in the ‘Photos’ subdirectory.

Assessing the damage will help you fix the situation quickly and efficiently.

Next, check the date when Google discovered suspicious content. You can see the exact dates next to the URLs listed in the ‘Detected Issues’ section of the ‘Security’ tab.

google search console security issues
Image Credit: Search Engine Land

Google Safe Browsing and other online malware scanners don’t always provide a lot of information on how to get past the deceptive site ahead warning message. Knowing when the message was triggered will help you narrow down the actions you took right before that date. Did you install a new theme? Update a plugin? Install new plugins?

NOTE: This is not always an effective way to pinpoint the malware. There are instances where malware lies dormant for a while before it starts to show actual symptoms of a hack.

So, if this doesn’t help, then you can use ‘URL inspection’ on those infected pages to understand what went wrong:

google search console url inspection tool test live button.
Image Credit: Search Engine Roundtable

This should tell you more than enough about the core problem. Next, you’ll need to remove the malware from your website.

Step 2: Remove the Malware

Removing malware from your website is not a simple task and should not be taken lightly. The wrong set of actions can completely wreck your website.

That said, you do need to remove the malware from your website if you want to fix the “Deceptive Site Ahead” notice from it. 

Now, there are two ways to handle this:

  • Clean your website using a WordPress security scanner and cleaner
  • Clean your website manually (NOT RECOMMENDED)

We can’t stress enough when we say this — don’t try to secure your websites manually unless you know exactly what you’re doing.

How to Clean Your Website with a WordPress Security Plugin

We highly encourage you to install a WordPress security scanner and cleaner plugin instead of using online malware scanners to remove malware from your website and here’s why: 

  • Google Safe Browsing can flag what the malware is doing to your website and not where the malware is actually located. It doesn’t help you remove the malicious code either.
  • Do you know PHP, HTML, Javascript, and Database Management? If not, most of the malicious scripts and ads will look exactly the same as regular code to you.
  • Let’s say you do understand coding and how websites work. How much time can you allocate to scouring all the files and database tables on your website for malicious code and third party scripts and removing it?

In simple words: Don’t try to remove malware on your own unless you’re a pro at it. It’s a bad idea and it can completely wreck your website.

We highly recommend that you signup for MalCare instead.

MalCare is a comprehensive suite of security tools that will scan, clean, and secure your WordPress websites against malware. Unlike other WordPress security plugins, MalCare uses advanced learning algorithms to keep evolving in the face of new and unknown cybersecurity threats.

malcare auto clean

That’s not all. With MalCare, you also get:

  • One-click instant malware removal in 3 minutes or less;
  • Automatic malware detection;
  • Daily malware scanner;
  • Powerful protective features;

You get all this for $99/year and with zero hidden costs.

Signup for MalCare and clean your WordPress hacked website today.

How to Clean Your Website Manually (NOT RECOMMENDED)

Again, cleaning your website manually is a very bad idea. We don’t recommend it under any circumstances.

But if you understand the risks and still want to remove the malware DIY-style, you need to understand that cleaning a hacked website has 4 primary steps:

  • Scan files on the server for malicious code;
  • Scan the database tables for malicious commands;
  • Find backdoors and ghost admin accounts;
  • And finally, remove the malicious without breaking the website.

For every hacked website, there are indicators of a hack that you can look for. In this segment, we’re going to look at indications of a compromised website and try to remove the malicious code that comes with them.

But before you begin, take a full backup of your website. If you end up wrecking your website, this backup will help you get back on track.

#1 Scan files on the server for malicious executable code

There are two places hackers insert malicious code — the files on the website and its database tables. Let’s start with the files because it’s more likely to contain third-party scripts.

To be perfectly clear, most modern malware is far more sophisticated than a single file with only malicious code on it. More often than not, you’ll see malicious code inserted into essential files on the website.

Start looking for files with suspicious names in these two folders.

  • wp-content
  • wp-includes

In addition, the wp-uploads folder should not contain any executable files. If there are any PHP files here, then that’s a bad thing. 

You might see Google or other online malware scanners flag Javascript files as the malicious code.

While this may be true, Javascript is obviously not always malware. It can be and is often used to add functionality to a website. So it is important to be able to distinguish between good and bad code.

This is not an easy prospect, as you need to understand what exactly the code intended function is, and evaluate that to determine its legitimacy. Often code is obfuscated as well, making this even harder to figure out. Use an online decoder to reverse the gobbledegook into readable code.

#2 Look for Malicious String Patterns in the WordPress Core Files

WordPress core files are made of essential code that helps the website function normally. This is a good place to hide malicious code. Hiding in plain sight, if you will.

Most malware will leave recognizable patterns called ‘String Patterns’ that you can search for. Start looking in these files:

  • wp-config.php;
  • .htaccess
  • wp-activate.php
  • wp-blog-header.php
  • wp-comments-post.php
  • wp-config-sample.php
  • wp-cron.php
  • wp-links-opml.php
  • wp-load.php
  • wp-login.php
  • wp-mail.php
  • wp-settings.php
  • wp-signup.php
  • wp-trackback.php
  • xmlrpc.php

Look for snippets such as:

  • tmpcontentx
  • function wp_temp_setupx
  • wp-tmp.php
  • derna.top/code.php
  • stripos($tmpcontent, $wp_auth_key)

These are PHP functions that are commonly used in malware and it’s a good place to start investigating.

Please remember that functions are not bad; quite the opposite in fact. Their purpose is to extend functionality in normal code. 

If you can’t tell if the code is malicious or not, that’s a clear indication that you should not be deleting it. The wisest course of action would be to hire a WordPress security expert or install a WordPress security plugin.

#3 Clean Hacked Database Tables

Databases are a lot more uncomfortable to fix, but you can clean them up. Head over to the cPanel and open up phpMyAdmin to access your database tables.

We strongly suggest that you stick to this order of actions when cleaning your database:

  • Log in to phpMyAdmin.
  • Backup your entire database.
  • Search for spammy keywords and links that you might see on spam comments.
  • Open the table that contains suspicious content.
  • Manually remove any suspicious content.
  • Test to verify the website is still operational after changes.

We highly recommend that you only make one change at a time and test the effects of the change before you move on to changing anything else in your database.

If anything seems even slightly off on your website, restore your database from the backup you took right away.

#4 Remove Backdoors Embedded in Your Website

The worst part about a manual cleanup is having to look for backdoors. Backdoors are essentially small code snippets that allow a hacker to regain access to your website even after you’ve cleaned it.

Backdoors are tricky to find because they are usually hidden in regular code as well.

Search for the following PHP functions on all your files:

  • base64
  • str_rot13
  • gzuncompress
  • eval
  • exec
  • create_function
  • system
  • assert
  • stripslashes
  • preg_replace (with /e/)
  • move_uploaded_file

Again, these are not evil functions by default, and many plugins and themes use them legitimately as well.

If you feel that this is too difficult or too technical, you should stop now and install MalCare. It’s a quick, easy, and affordable way to fix your website in very little time. The faster you remove the malware, the faster you can get to the next section, which is about how to turn off deceptive site ahead.

Step 3: Submit A Review Request to Google for Warning Removal

Simply cleaning your website is not enough. You’ll have to remove all the malware from your website and then tell Google about it so that they can review your website and remove the warning message.

WARNING: Before you submit a review request with Google, you need to be 100% certain that your website has no traces of the malware present anywhere on it. If your website is still infected, Google will reject your request to fix the deceptive site ahead warning message from your site. Get rejected by Google too many times and Google will flag you as a ‘Repeat Offender’ and you won’t be able to request a review for 30 days.

An equally bad idea is to submit multiple review requests for the same issue. Once you submit a review request, wait for 1-3 days for Google to sort it out. Submitting multiple requests can cause a much longer turnaround time and in certain cases, Google may flag you as a ‘Repeat Offender’.

That said, removing the deceptive site ahead warning is a fairly simple process, but you won’t get many good tutorials on it. So, follow along with this article step by step.

Step A: Go to the Security Issues Tab. It’s time to request a review of your code from Google Search Console.

hacked content injection

Step B: Select “I have fixed these issues”.

google search console deceptive pages

Step C: Click on “Request a Review”.

google search console manual actions

Step D: Describe all the actions you took in the input field. The more descriptive and clear you are, the better it is for your application. Then click on ‘Submit Request’:

request review google search console

Step E: Finally, click the Manual Actions section.

search console manual actions

Step F: Repeat the first four steps to resolve all your security issues on Google.

NOTE: The warning message won’t be removed immediately. Google takes up to 3 days to review the website and remove the “Deceptive Site Ahead” notice. But this is the best process you can follow. In 1-3 days, you should be able to get back to business as usual.

Step 4: Prevent Deceptive Site Warnings and Future attacks

You can skip this step at your own risk. But to be honest, it’ll take a while before the notice is removed. You might as well use this time to beef up your cybersecurity and protect your website against future attacks.

If you’re looking for an automated solution, we recommend that you install MalCare.

  • Automatic daily malware scans will help you stay one step ahead of the hackers.
  • You can remove malware from your website with one click without any risk to your website.
  • WordPress hardening measures that work in a few quick clicks.
  • The WordPress firewall will help you filter out malicious traffic from country or device.
  • As a bonus, you get convenient blacklist monitoring and traffic monitoring as well.

Installing MalCare is the simplest way to ensure that you never get hit with a Google deceptive site ahead notice again.

There are several improvements you can and should implement on your site by yourself. These are easy to execute, including tips such as changing your password to a stronger one, installing a security plugin, updating WordPress core, theme, and plugin files to name a few. You’ll find a comprehensive list in our article about WordPress Security.

Fixing deceptive site ahead warning

FAQs

Can I clean the website myself?

Sure. But we don’t recommend that under any circumstances. Unless you’re an expert at PHP, Javascript, SQL, HTML, and Apache, there’s a huge risk of permanently damaging your website on a fundamental level.


How to prevent deceptive website warnings in the future?

We recommend that you harden your cybersecurity and install a firewall. Also, install a malware detection and removal tool just in case.


What is deceptive site ahead?

If your website is infected with malware, Google can put up a “Deceptive Site Ahead” notice (warning message in red screen) that your web users will see every time they try to access one of your links. This is one of 8 warning messages issued by Google when your website is flagged by Google Safe Browsing.


How to turn off deceptive site ahead?

Short answer: don’t get hacked. If your website already shows that notice, you will need to remove any and all malware trying to load malicious scripts and ads on your website and submit a request on Google Search Console to remove the warning.


How do I fix the website ahead contains malware?

Find and remove the malware on your WordPress site. Then submit a review request on Google Search Console to remove the warning from your website’s search results.


What is an unsafe website?

Typically, an unsafe website is one that contains malware. Visiting an unsafe and dangerous website could mean that a hacker can steal your personal information. This may not always be the case and your website may simply be harmful to its web users in some way or form. 

What’s Next?

Usually, a deceptive website warning comes with other concerns as well. We’ve seen with many of our customers that a Google Chrome browser warning can also lead to your web host suspending your hosting account and Google Ads suspending your Ad Account.

We recommend that you check them out next.

Your life can be a lot easier if you just install MalCare. You get so many amazing features that you can simply connect your website one time and let the plugin handle your entire website security.

We highly recommend that you read all the segments on this article. If you simply skimmed the headlines, there’s a good chance that you may have missed something.

And that’s all, folks!

Drop any questions or queries that you may have and our highly-acclaimed support team will help you work out your issues day or night.

Until next time.

Deceptive site ahead
0
Would love your thoughts, please comment.x
()
x
Share via
Copy link