Google blacklists over 10,000 websites every day. And 90% of the blacklisted websites are found to be hacked. If Google has blacklisted your site, then chances are that it’s hacked.
Being blacklisted has severe consequences on a website. It prevents Google users from accessing your site, search engine ranks start dropping and all this can have a direct impact on your revenue collection.
But don’t worry, a blacklisted website can be recovered. All you need to do is clean your website and then inform Google about it. This article is a step-by-step guide on how to remove Google blacklist on a WordPress site.
If you are blacklisted, it’s very likely that your website is hacked. To scan and clean your website immediately, install our WordPress Security Plugin – MalCare. With the help of MalCare, you can get your site back up and running in no time.
What is Google Blacklist?
It’s no secret that Google is the world’s most trusted search engine. Naturally, Google wants its users to have a safe browsing experience. Therefore, the search engine prevents users from accessing a hacked WordPress website.
Google shows a security warning in which it informs visitors that the website is unsafe and that they should return to safety.
The search engine giant has different sets of warnings for sites that may be hacked and infected with malware and sites that may not have malware but nonetheless has been hacked and could be carrying out malicious activities. Google shows the following error messages:
- Deceptive site ahead
- Reported attack page!
- Suspected malware site
- Danger: malware ahead!
- The site ahead contains malware
- The website ahead contains malware!
- This website has been reported as unsafe
- The site ahead contains harmful programs
- This page is trying to load scripts from unauthenticated sources
Mozilla’s Firefox browser also uses Google’s list of blacklisted websites to issue “Deceptive site ahead” warnings to Firefox users.
Hacked websites try to manipulate visitors into doing malicious things like buying illegal drugs, or they redirect users to other sites that are designed to dupe them into sharing sensitive information like credit card or bank account details.
Since Google wants its users to have a safe browsing experience, it blocks users from visiting hacked websites. But that’s hard for a website owner whose site has been blacklisted due to malicious activities s/he’s completely unaware of.
To learn more about malicious activities commonly found in the hacked website, we suggest reading more about it. Refer to our guides on WordPress pharma hack, WordPress hacked redirect, and WordPress theme hacked.
Before proceeding to fix and remove Google Blacklist warning, let’s ensure that your website really is blacklisted.
How to Check if Your Site is Blacklisted by Google?
“Is my site blacklisted?” – There are various checks that’ll help you determine if your website is really blacklisted. You can check with Google’s Safe Browsing tool, or if you are so inclined, you can do the check manually. You can also use free tools online that let you enter your site’s name and check. Let’s explore them one by one –
→ Check Google Search Console
Google crawls your website on a regular basis looking for new content that you may have added on your site. If the content meets Google’s benchmark for good content, the search engine will rank your content so that Google users may find it and read it.
While crawling, however, if Google detects malicious activities on your site and finds out that your website is hacked, it flags your site as insecure and notifies you on your Google Search Console account.
To check if Google has sent you a notice, you need to log into Google Search Console. From the menu on the left, select Security Issues. It’ll show you the issues it detected on your sites like infected URLs and malicious codes.
Search Console shows the issues it detected
→ Check using Google Safe Browsing Tool
Google’s Safe Browsing is our go-to tool because it’s made by the search engine giant itself. This Google diagnostic tool is really easy to use. All you need to do is insert your site URL and it’ll show you all sorts of issues that your site suffers including being marked as blacklisted. A domain is blacklisted by Google Safe Browsing when it detects malicious activities on the website.
→ Check for a sharp traffic decline
Getting blacklisted by Google has a domino effect. First, you experience a rapid decline in traffic, then your ranking falls and eventually, your revenue takes a hit. You can track your traffic from Google Analytics. On Analytics, navigate from Overview to Behaviour and look at the pageviews for the last 3 months. Notice any sharp decline? It could be due to the Google blacklist warning.
→ Check manually
You can check the website on your own by using the code ‘site:’ followed by your domain name on your browser –
(Replace westworldfansite with the name of your website.)
Our search returned 15 results. Google shows us all the web pages and posts published on our site. Had it been 0 search results, we’d know that our website is blacklisted by Google.
When you perform a similar search for your website, and Google returns 0 results, it’s a pretty good chance that your site is blacklisted. One major downside of this method is that, if your site is not indexed by the search engine, it would not appear on Google’s search. You can check if your website is indexed by Google with the help of this article – Index Coverage Status.
Note that while you are searching your site in the way we showed, you may find Google saying “site may be hacked,” if the search engine found malware on your website.
→ Check using a tool
A few free tools are really handy when it comes to learning for sure if your site has been blacklisted. Those are Is My Website Penalized and Is Banned. Both are very easy to use. All you need to do is type in your URL and it tells you the status of your website.
After making sure that your WordPress website has been blacklisted, you can proceed to fix the issue.
How to Remove Google Blacklist Warning?
There are 2 ways in which you can remove Google blacklist from your WordPress site. Those are:
- Using a plugin (the easy way)
- Doing it manually (the hard way)
Remove Site From Google Blacklist With a Plugin
There are many WordPress security plugins to choose from. Most security plugins are not very effective. They look for known malware located in places where one typically finds malware. But given the complexity of hacks these days, security plugins need to look beyond known malware and familiar locations.
MalCare is a security plugin that isn’t plagued by any of these issues.
- Finds All Hidden Malware: MalCare offers a WordPress malware scanner that dives deep into your website to detect malware hidden in various locations. MalCare can find SEO spam, spam link injection, pharma hacks, and other types of hidden malware.
- Finds New and Complex Malware: It checks the pattern and behavior of codes to find new and complex malware and not just known malware.
- Enables Instant Malware Removal: After detecting malware, MalCare enables users to clean their website quickly. Common practice dictates that you’ll have to first raise a ticket and give an external security professional access to your site. Then the person will clean your site which can take between a few hours to upto a few days to complete. MalCare is the only security plugin to offer automated malware removal that enables you to clean your hacked site instantly.
How to Scan Your Site With MalCare?
Step 2: Next, on your WordPress dashboard, you should see an option for MalCare in the left-hand menu. Select that and a new page appears. From that page choose Malware Scan and click on Scan Site.
MalCare will take a few minutes to scan your website thoroughly. It’ll show you all the hacked files it found.
NOTE: The next step is to clean malware that the plugin found. MalCare’s instant malware cleanup is a premium feature so you’d have to upgrade. Plans begin at $99 per year for a single site.
Step 3: To clean your site with MalCare, just click on Auto Clean. The plugin will automatically clean your site within a few minutes.
Once your website is hack-free, you can submit your website to Google for review.
Remove Site From Google Blacklist Manually
Finding malware using a plugin is quick and thorough, which is why we recommend it. If you still want to give the manual method a try, these are the steps you need to take –
→ Check Plugin and Themes Folder:
If you are half as obsessed with websites as we are, you’ll know that a WordPress website is made up of files and databases. Malware can be present in any of the hundreds of files of your website. If you are looking for the infected files manually, start with the common locations like the plugin folder (/wp-content/plugins/) and theme folder (/wp-content/themes/). You can access them through your web host account or via FTP tools like Filezilla.
→ Look for keywords:
Besides locating malware, it’s important to learn how to recognize malware or malicious codes.
It’s common to find the following keywords in malicious codes – “shell_exec,” “base64_decode”, “eval”, and “gzuncompress.” One way of identifying bad codes is to look for those keywords. Any programmer can find them using commands like Find, Grep and Stat.
But the thing is, the keywords we mentioned above are not always part of malicious code. Some plugins utilize similar keywords and deleting them will cause the plugins to malfunction.
→ Check Upload folder:
Apart from the plugin and theme folder, the Upload folder is very popular with hackers. An Upload folder is meant to store media files. The existence of a .php file is unusual. You can run the following command to detect such files:
find uploads – name “*.php” -print
If you do end up finding a .php file in the Upload folder, it’s a likely part of a hack.
→ Compare WordPress Core Files:
Back in the good old days when websites weren’t this complicated, the core folder was a favorite spot to hide malware. As the technology evolved and websites became complex, hackers found new locations to hide malware.
But to remove all possibilities, we’d suggest checking the core files. Comparing the original core files (which you can get from here) with the ones present on your website. If there’s a mismatch, it’s a possible sign of a hack.
NOTE: When you download the core, ensure that you are downloading the version that’s running on your site.
→ Compare plugin & theme files:
Same as comparing core files!
Make a list of the plugins and themes installed on your website. Download a fresh install from the WordPress repository and compare them with the ones running on your website.
It’s a time-consuming process and not a very reliable one. Sometimes differences may arise between the files you are comparing because there are files on your site that you can’t find in the repository. That’s usual but it’s easy to mistake those files as malicious.
→ Look into recently modified files:
There’s a good chance that recently modified files are part of a hack unless someone from your team made a modification you are unaware of. Before flagging the file as suspicious, we’d suggest you consult with your teammates to ensure which files were modified by them.
→ Look for Unknown Files & Folders in the Root Folder:
Website owners don’t access the WordPress root directory (/public_html) often which makes it an ideal spot to hide malware. Hence, looking for unknown files and folders present in the root directory is the general rule of thumb.
But, there are chances that you could end up identifying files as unfamiliar but they are actually safe. Deleting important files unwittingly can cause the website to misbehave.
But removing malware is only half the job.
You’ll need to remove the vulnerability that granted hackers a way into your website. You can see the most common WordPress vulnerabilities here. Sucuri, a popular security plugin reports that outdated plugins are the leading cause of compromised websites. It aligns with what we have observed as a security service over the past 7 years.
We recommend you update all your plugins and themes immediately. You can see what happens when developers don’t update plugins and how it can harm your security.
The next step is to inform Google about what you did so far and request them to review your site and to remove the blacklisting.
Submitting Website For Google Review
Submitting your website to Google for review is not as hard as you may think. We’ve listed an easy step-by-step process for you to follow. What you need to do is:
- First, verify ownership of the site
- Then, submit the website for review
Verify Site Ownership
Go over to Google Search Console, select Start Now and enter your URL. In this step, Google gives you two options – Domain and URL prefix.
Domain vs URL prefix
If you select Domain, Console allows you to manage your primary domain (yourdomain.com) as well as subdomains (like http://yourdomain.com, https://yourdomain.com, http://www.yourdomain.com, https://www.yourdomain.com, https://m.yourdomain.com, subdomain.yourdomain.com, etc). But if you want to manage only the primary domain (http://yourdomain.com), select URL prefix.
If you select Domain, you’ll only require DNS verification but selecting URL prefix allows multiple verification methods including DNS verification. We are selecting the URL prefix to show you the different verification methods.
Google offers 5 ways to help verify your site ownership:
- Using Google Analytics
- Using Google Tag Manager
- By inserting an HTML code on your homepage
- By uploading an HTML file into the backend of your website
- And by modifying your DNS configuration
We’ll show you 3 methods so that when one does not work, you can try the other two. No matter which one you opt for, take a backup of your website and then proceed.
Verify website ownership with HTML file
This is Google’s very own recommended method and you can execute it through your web host or via an FTP tool like Filezilla.
First off, download the HTML file from the Console page.
Then, login into your web host account, open File Manager and navigate to the public_html folder. In this folder Upload the HTML file you just downloaded.
If it worked, Google will inform you that the site verification is complete.
Verify Website Ownership with Domain Name Provider
In this method, you’ll add a text (called TXT Record) to your DNS configuration. We recommend the DNS configuration method over the next two because you don’t need to add codes to your website which is often risky. The tiniest of mistakes can break your website.
To add the TXT Record to your DNS configuration, you need to first access the DNS editor, often called the DNS Zone Editor. Location of the Zone Editor changes from host to host.
In BlueHost, we found the DNS Zone Editor under Domains. If you are using a different hosting, then do a simple Google search to look for the Editor.
In the DNS Zone Editor, find a section called TXT (Text) and paste the verification code Google provided. The verification may take up to 24 hours to complete.
Verify website ownership with HTML Tag
In this method, you need to add a simple code to your home page’s header section. You can do this by placing the code in the theme’s header file. To achieve that, you need to edit the active theme. But if that sounds a little too daunting, then you can opt for plugins that’ll help you insert the code.
Our recommendation would be to insert code in the child theme because if you don’t, every time you update your theme, you’ll lose your site verification.
To insert the tag into your theme, log into your website dashboard and navigate to Appearance > Themes > Editor. From the Editor select the header.php file.
Then copy the meta tag from Search Console and then paste it between the <head> section and <body> section. We did the same on our website.
Next, click on Verify to see if the verification succeeded.
Making modifications to a website is extremely risky. We strongly recommend using a plugin to inset the HTML tag.
Head and Footer Scripts Inserter or Head & Footer Code are two very useful plugins when it comes to code insertion. We tried out the first plugin and it’s fairly easy to use. All we had to do was activate the plugin, navigate from Settings to Scripts Inserter. Then place the HTML tag in the Head Section and Save changes.
After verifying that the website is your property, it’s time to Request a Review from Google.
Submit Website for Google Review
- In the Google Search Console, navigate to Security Issues and then select Request a Review.
- A popup will immediately appear. And in that pop-up, write down the steps you’ve taken to remove the site from Google blacklist. Mention how you have cleaned your site and updated the core and all your themes and plugins.
- Only when you are satisfied with your answer, hit the submit button. Mission accomplished!
Now the wait begins!
Typically, it takes Google 72 hours to remove Google blacklist.
Before you close the browser, there’s one last thing, we’d like to leave you with.
Prevent Google Blacklist in Future
The problem at hand is solved. But your website is not out of danger. It’s not uncommon for websites to be hacked more than once. The next time it happens, Google won’t hesitate to blacklist your site again. If you want to protect your website and prevent future hack attempts, we’d recommend taking the following measures:
→ Keep Your Website Updates
Earlier, we spoke of how outdated themes and plugins make a website vulnerable which is then exploited by hackers. Make it a rule to never skip a single update. Set aside a day in the week when you devote your time to updating all your plugins, themes and the core.
If there are too many websites to manage then investing in a reliable WordPress management service is an alternative.
→ Stop Using Illegal Software
It’s tempting to use free software but no one considers the security pitfalls. There are websites giving away premium plugins and themes for free. It’s best to avoid using tools from such untrusted websites because the themes and plugins they offer are often infected with backdoors.
Hackers use backdoors to access websites and exploit their resources. If you are using a premium tool that you downloaded for free from an untrusted marketplace, remove it.
→ Use Strong Credentials
The login page is the most vulnerable page on your website. It’s constantly under threat where hackers are trying to force their way in using common usernames (like admin) and passwords (like p@ssw0rd). Using a strong password and a unique username could be a life savior.
→ Choose Secure WordPress Hosting
Hosting services are sometimes compromised. In 2018, hosting providers Hetzner and Daniel’s Hosting were hacked leaving hundreds of thousands of websites exposed to exploitation.
If you want to host a site, it’s best to host it on any of the popular WordPress hosting providers. They are not hack-proof but they are as secure as any hosting provider can get.
These are the basic security measures that you must take.
For more advanced security measures, refer to our guide on WordPress Security.
In conclusion, we’d like to highlight the steps that you need to take after cleaning your hacked websites. It’ll help you get your website whitelisted and protected.
- Submit your website for Google review where you inform Google that your website is now clean and safe for Google users.
- Use MalCare Security Services on your website to ensure that your website remains protected and hack-free.
- Put on a strong pot of coffee. Get to work! Grow your business to greater heights.
For Complete Peace of Mind,
Protect Your Site With MalCare Security Service!