Are you seeing a big red warning when you try to visit your website, saying that your website is dangerous?
This is a sign of malware on your WordPress site, and your site is blacklisted by Google.
Google wants to make sure that its visitors have a safe search experience. So their Safe Browsing initiative flags sites that have malicious content or spam links with a series of different browser warning messages: deceptive site ahead, phishing attack ahead, this site may harm your computer, site ahead contains malware, the site may be hacked, this website has been reported as unsafe, this page is trying to load scripts from unauthenticated sources, and so on.
If you are seeing this Google blacklist warning, act fast. The first thing to do is scan your website to be 100% sure of the hack.
It is important to take your next steps quickly because this URL blacklist warning scares visitors away, and will result in a drop in traffic. Additionally, several browsers, including Chrome, use Google Safe Browsing to protect their users from harm and can block a chunk of traffic from your website.
You should also protect your site, your data and your visitors from harm, so you need to prioritize Google blacklist removal.
TL;DR: Remove Google blacklist warning from your website by removing the malware that is causing Google to flag your website. With MalCare, you can clean the malware from your website in minutes, and use our post-cleanup checklist to send Google a review request.
What is the Google blacklist
Google wants to promote safe browsing. For this, Google flags several thousand websites every day that it deems unsafe to visit. These websites usually contain malware or deceptive content. When Google blacklists your website, visitors clicking through from search engines will see a big red notice, or a ‘Dangerous’ label in the URL bar.
But that’s not all, the Google blacklist will affect your WordPress site in more ways than just a big notice showing up on the screen. Once Google blacklists your website, it will also deindex it. This means that your website will stop showing up on the search pages of Google.
Consequently, as your website pages stop showing up in search results and any visitors are dissuaded from visiting your website, you will see a drastic drop in organic traffic. And since many antivirus solutions, web hosts, and browsers also refer to the Google blacklist, chances are that they will also flag your website or suspend your account.
There are various blacklist warnings that you can get based on why Google has blacklisted your website. Let’s take a look at how they appear.
Phishing attack ahead
This site may harm your computer
The site ahead contains malware
This website has been reported as unsafe
This page is trying to load scripts from unauthenticated sources
Government-backed attackers may be trying to steal your password
The site ahead contains harmful programs
Finding out if your website is blacklisted by Google Safe Browsing (Google blacklist check)
It is important to confirm whether your WordPress site is on the Google blacklist before you can fix it. In the best-case scenario—if there can be one—Google sends you an email, saying that your website has malware on it. They usually include helpful links to forums and articles, so that you can resolve the issue. But there are also other ways in which you can find out if your website is on the blacklist.
Google Search Console
Apart from their email, you will also see malicious files and pages listed on Google Search Console account, under Security Issues. It is a good idea to get familiar with Search Console at this point, because you will be filing a review request from here, later on. To do so, make sure that you have admin access.
Check Google warnings
Additionally, there are the horrible red browser warning pages. We’ve had panicked admin email us about the ‘red screen of death’ a few times as well, and with good reason. Their customers see the notice, and drop off their website in droves. Their traffic tanks and revenue goes down. It is a complete mess and a scary situation all around. In some cases, the search results will be labelled with warnings for visitors.
Pay attention to customer feedback
Antivirus programs will also block your website, or part of it from being displayed on people’s computers. So even if customers are intrepid enough to brave your hacked website, their computers will protect them from the danger. If any of your customers complain of this, look into it with utmost concern.
Check Google search results
You can look at Google search too, because Google will remove your website from their search results. Your website will no longer be indexed, so no one can find it without the address.
Check Google’s Transparency Report
Finally, Google maintains an online directory for its blacklisted websites. You can check any website on the Google Transparency Report to find out if your website has been blacklisted by Google. It is a foolproof way to confirm whether you have been blacklisted.
Why has your website been blacklisted by Google
As we explained before, when Google crawls your website and finds something bad, it adds your website to the blacklist. These “bad” things could be:
- Your site has been hacked: Your website has been compromised and there is now malware on it. Google differentiates between different types of hacks, like phishing content, spam content or downloadable malware that can harm visitors’ devices. However, for the purposes of this article, we are going to consider all of it as malware.
- Your website has spam web pages: Assuming that your website itself is not spammy, this is a typical result of malware. One of the reasons hackers attack websites is specifically to insert spam pages for grey market or illegal products and services, because Google will not index their websites. So they piggyback on your website to get any visitors from SEO at all.
- One of your plugins is loading assets from a blacklisted URL: You have a plugin or theme on your website that is loading content from a flagged website. It could be something as innocuous as an image file, but it will still cause issues. Your website doesn’t have malware on it, but Google will still flag this as malicious or deceptive content.
- You are using black hat SEO strategies: Black hat SEO strategies attempt to manipulate search engines to get more visitors. The content probably doesn’t match up to the SEO hacks, and so the visitor is essentially duped into visiting the site at all. Black hat SEO is a major Google policy violation, and will get your website onto a blacklist very quickly. Moreover, hacks only work in the short term, so whatever little you are able to gain by applying them will fizzle out in due course.
Here are some of the black hat SEO strategies that you should absolutely avoid doing:
- Cloaking: Google sees one version of your website, whereas human visitors see another version
- Scraping: Getting data and content from other websites, like pricing or product information from web stores
- Keyword stuffing: Too many keywords, very little substance
- Buying backlinks: Backlinks are signals that indicate content has authority and value, and therefore people link to it. Buying backlinks effectively games that system
- Duplicate content: Copied content from other websites, which effectively means your website is stealing value from another website
These are the most common reasons why Google would blacklist your website. For further reading, and to figure which action Google takes under which circumstances, check out their list of warnings.
How to Remove Malware Infection from Your Site
In order to get your website off Google’s blacklist, there is a 5-step process:
- Identify the symptoms of malware
- Scan your website to confirm the hack
- Clean the hacked files and malware from your website
- Complete the post-cleanup checklist
- Submit a review request to Google
In this process, the most critical step is to remove the malware from your website. We will talk about how to do that in detail shortly.
Before you begin
We’ve cleaned thousands of websites with malware, and there are some salient points to keep in mind:
- Speed is essential: Hacks become exponentially worse as they are left unattended. On top of this, Google tracks how long admins take to address security issues on their websites. There is no outright indication of how they use this metric, but we can safely assume it makes a difference somewhere.
- Avoid manual cleaning: Even for WordPress experts, malware removal is a long, tedious and fraught process, which often ends in a broken website. Security experts also use tools to discover malware hidden in files and folders, and rarely check the code manually.
- Malware is only half the battle: 90% of the time, the malware was able to infect your website, in the first place, because of a vulnerability or a backdoor. Therefore, even if you are able to get rid of the hacked code, unless you patch up the vulnerability or backdoor, the infection will reoccur.
- Advice can be good or bad: WordPress is a community too, apart from a CMS. There are a lot of people out there who unknowingly dispense poor advice. They have seen a problem, and managed to fix it in a certain way. That doesn’t mean their methods are the best, or even good, ways to fix problems. This is especially true in the case of security issues, where you will see a lot of advice for hiding login pages or password-protecting critical folders. These are bad ideas, and will cause more headaches than solutions.
1. Identify the symptoms of malware on your website
At this point, you have already determined whether your website is on the Google blacklist or not. But malware is not as easy to identify. The malware hides in the most unexpected places on your website and can appear in the most bizarre ways. Therefore, it is important to identify the symptoms of malware on your website.
Symptoms appearing on search results
The first place where you will see signs of malware is on the search results. The SERPs will give you an insight into the health of your website if you know what to look for.
- Junk meta descriptions: Meta descriptions are the description of a webpage under the search result. Usually you will see an excerpt or a description that you have set. But some malware changes these descriptions to junk values or japanese characters. This is a common sign of malware.
- Google flagging your website: If Google accompanies your website results with notices such as ‘This site may be hacked’ or ‘This site may contain malware,’ your website has most likely been infected.
- Indexed pages: When you Google your website, Google will list all the pages on your site. If the number of the indexed pages shown on Google is way more than the actual number of pages, Google is indexing spam pages that are piggybacking on your website through malware.
Symptoms appearing on your website
Another great place to look out for malware symptoms is your website itself. Look for the following symptoms the next time you visit your website.
- Spam popups (malvertising)
- Phishing/spam pages
- Redirects to spam sites
- Classic redirects
- Link redirects
- Mobile-only redirect
- Broken website
- White screen of death
Symptoms appearing on the backend of your website
The backend of your website also holds clues regarding the health of your website. If you find any of the following on the backend of your site, it could be a symptom of malware.
- Strange code in files
- Unexpected changes
- Unusual user activity
- Escalation of privileges
- Additional files in the root
- Changes in settings
- Fake plugins
Symptoms appearing in Analytics
Your website analytics may tell you a lot about how people interact with your website. But it also shows abrupt changes or sudden spikes that could be a sign of malware. Look out for the following on your website analytics to see if these could be caused by malware.
- Unusual traffic spikes: If you see sudden spikes in traffic from a particular country, which is not directly a target area for your business, this could indicate malware on you website.
- Reduced conversions: As malware affects the way your website behaves, it can send your users to spam sites, show them irrelevant pop-ups or make your site inaccessible. This results in a lower conversion rate as users get a horrible experience when on your website.
- Increased bounce rate: As we discussed, malware messes up your user experience. This causes users to leave your website abruptly and increase the bounce rate.
Symptoms related to performance and user experience
In addition to everything we have mentioned above, malware can also show up as issues related to performance and user experience. If you notice any of the below-mentioned symptoms, it could be the result of malware.
- Site becomes slow
- Site is inaccessible
- Server resources are used up
- Users can’t log into your website
- Visitors complain about seeing symptoms
2. Deep scan your website for hacks
The first order of business is to figure out the extent of the malware on your website. MalCare’s deep scan will check every file, folder, and line in your website database for malicious code that is causing a Google blacklist. It also checks for deceptive content, spam content and links, and vulnerabilities and backdoors.
There are a few ways to scan your website. We recommend a deep scan because it is thorough and checks every part of your website.
- Use MalCare’s free scanner to deep scan your website [RECOMMENDED]: Install MalCare, and in a matter of minutes, your website will be scanned completely. You will also get a report of how many files are affected by the hack.
- Use an online scanner: An online security scanner will scan only the publicly visible code of your website. With an online scanner, you will see if your posts and pages have malware. This is generally a good first step for diagnostic reasons, but falls short because it cannot detect malware in the core files and critical folders of your website. It is, at best, a half-measure, because malware doesn’t stick only to publicly visible parts of the website. In fact, many of the worst hacks have inserted malware into the .htaccess file, index.php file or in the /wp-config folder.
- Scanning manually: This is the least effective and efficient way to look for malware on your website. Firstly, there is a good chance that you will miss something and find yourself back at square one, with nothing to show for your effort. Next, if you have a large website, you have to check every line of code. Even if you take weeks to meticulously pick through every single line, you have to be very confident in your ability to distinguish code from bad code. It really isn’t straightforward.
Even WordPress experts use tools to scan for malware, because the cost of human error is just too high. Use MalCare’s free scanner to get a definitive answer to the question of a hack.
Other ways to check for malware on your website
WordPress security plugins are not all the same, because they each have their own mechanisms for detecting malware. Popular plugins like WordFence are known for false positives and too many alerts, whereas Sucuri doesn’t do a good job of detecting malware at all.
If your website has been blacklisted by Google, there is definitely malware on your website. However, if you still want to be absolutely sure, there are other ways to confirm a hack on your website.
- Use an incognito browser to visit your website
- Google your website and check the results and number of pages indexed for an indicator of spam pages
- Check activity logs for unusual user activity in case a hacker has managed to compromise one of your admin accounts
- Analytics data might show odd spikes or troughs in traffic
- Google Search Console warnings are an excellent indicator of malware
- Out of date plugins and themes on your website might have vulnerabilities. You can check if any of your installed plugins or themes have recently discovered vulnerabilities.
- Nulled plugins and themes are a no-no. Nulled software is usually riddled with malware and backdoors.
Pro tip: Check the date when Google discovered suspicious content. You can find the discovery dates next to the URLs provided in the ‘Detected Issues’ section. Google does not always provide a lot of information on the URL blacklist. Checking the dates can help you narrow things down even further. For instance, did you install a plugin right before that date?
3. Clean the malware that landed your website on Google Blacklist
Now that we have established that there is malware on your website, let’s talk about cleaning it up. There are 3 ways to clean your website of malware:
- Thorough cleanup with a security plugin [RECOMMENDED]
- Security expert services
- Manual cleanup
We recommend removing malware by installing and using MalCare’s one-click auto-clean.
Right now, your website is taking a beating because it is on Google’s blacklist. It is super important to act fast to get your website back on track. Malware gets progressively worse the longer it remains unresolved.
Option 1: Thorough cleanup with a security plugin [RECOMMENDED]
MalCare is a best-in-class security plugin that not only scans your website daily for hacked files and vulnerabilities, but also enables you to clean hacks instantly from your dashboard.
If you have installed MalCare for the free scan, all you need to do is upgrade to clean your website. If not, here are the steps:
- Install MalCare on your website
- Wait for the website to sync with MalCare servers
- Scan your website from the dashboard
- Auto-clean when prompted, and get rid of the malware
And that’s it! It really is that simple. MalCare checks every file and database table for hacks with a sophisticated algorithm. The algorithm doesn’t rely on simple file matching to check for hacks.
If the hack is not fully cleaned, you can request support to take over. MalCare support has a team of security engineers, and they will go through your website to find the hacked files. All of this is included in the same subscription.
On top of that, MalCare will protect your website with daily scans, an integrated firewall that defends your site against malicious traffic from countries or devices, and a powerful dashboard for ease of use.
How to install MalCare if your website has been suspended or is being redirected?
There are times you won’t be able to access your website because of a redirect hack or perhaps your web host has suspended your account.
This is a trickier situation, but it can still be resolved. Get in touch with us, and we will walk you through the steps to contacting your web hosting provider.
Option 2: Security expert services
There are hack removal cleanup services that will go through your website and get rid of the malware. MalCare also provides an emergency cleanup service, but we prefer to help you install the plugin instead.
Hack removal services are expensive, because they require manual expertise and take time. A security plugin is much better, and resolves the hack much faster. If you choose to go another route, we cannot speak to the efficiency of another hack removal service.
Option 3: Manual cleanup
At MalCare, we have cleaned thousands of websites. That is the expertise that goes into our security plugin, as a matter of fact. It is also why we don’t advise manual cleaning at all.
Even expert hack removal services use tools and programming knowledge to assist with manual cleaning. Going through each line of code is next to impossible, especially if it is an e-commerce site, or a large one with lots of posts and pages.
Apart from the time, there is always the risk of breaking the site altogether. If you choose to clean your website manually, please be warned that you are running that risk. Malware can vary significantly, so there is no tutorial that will fit your exact use case.
Now that we have got the warnings out of the way, let’s start with the cleaning process.
Prerequisites for cleaning your website manually
- Understand WordPress file and database structure
- Experience with coding, programming logic, and developer tools
- Familiarity with cPanel and other web host dashboard tools
Steps to cleaning your website manually
- Get access to your website, if it is suspended. Contact your web host, and ask them to whitelist your IP for cleaning.
- Get a list of hacked files from your web host, or from Google Search Console. This is a good starting point, although it will not take care of the vulnerabilities that allowed the hack in the first place, so avoid relying solely on this list.
- Backup your website immediately. A hacked site is bad, but it is still functioning. If the cleaning effort breaks your website, this backup will help you retrieve something that works at the very least.
- Download clean installs from the WordPress repository. This should include the WordPress installation and all plugins and themes. Remember to get the same versions that were on your website in the first place. You might have to look at archived versions to find those.
- Remove fake plugins from your website. Since you have a list of plugins and themes, you can see if there are any outliers on your website. Chances are these are fake plugins, which are essentially hacked files masquerading as plugins. They typically contain a single file or two at the most in their folders, and have weird names. Another way to check if a plugin is fake is to look for it in the repository.
- Delete nulled software. Nulled software are pirated premium plugins and themes, and will invariably have malware or backdoors hidden in the code. There is no such thing as a free lunch, remember, so hackers who are going to steal from developers are not altruistic Robin Hoods, but thieves. They will steal from you too.
- Reinstall WordPress, by deleting the old version and copying the files from the new install. WordPress core files have very little user data, and mostly have configuration information. Therefore replacing them will save you from having to comb through that code.
Log into cPanel or use SFTP to access the backend of your website. Delete the following folders, and copy the new versions entirely:
Next, look for strange codes like favicon_bdfk34.ico in these core files:
We cannot be more specific about what to look for, because malware can look very different from hack to hack. The easiest way to do this is to look for code that is not in the clean installs, and analyse what it does. However, just because it isn’t in the clean install doesn’t make it necessarily bad.
Finally, the /wp-uploads shouldn’t have any malicious PHP files at all. Delete any that you find in that folder.
- Repeat the clean up process for plugins and themes. There is an added layer of complexity here, because plugins and themes are usually customisable. That code is definitely not malicious, but it won’t be in the clean installs. The same goes for additional libraries that you may have installed.
A good place to start are the key theme files: header.php, footer.php, and functions.php
- Clean malware from the database, which is much trickier than it sounds. The database contains, well, all your data. This means your content, user data, and everything else in between. Please be very cautious about deleting any information from here without being absolutely certain it is malware. You can lose a significant amount just by poking around in the database.
- Remove all backdoors now that you’ve removed the malware. Backdoors, exactly as the name suggests, are ways for hackers to gain unauthorised access to your website. The code can be hidden anywhere in your website. It is vital to remove backdoors and patch vulnerabilities, otherwise your website will most certainly get hacked again.
Look for functions like these:
They aren’t necessarily backdoors because they can have legitimate uses. Also, hackers can obfuscate code to look like something else entirely, or find creative ways to disguise these functions. The general rule of thumb is to keep your eyes peeled for anything that looks awry in the code.
- Restore cleaned files to your website backend. Log into cPanel and use the File Manager to replace the files, and phpMyAdmin to replace the database. You will need to delete the existing files first, and then copy your clean files in their place. You can also use FTP or SFTP to manage your website restore. It is a more reliable process but can get tedious.
- Clear the WordPress and browser caches. Caches store older versions of your website to aid in performance. Therefore there will still be malware in cached files. Google often scans cached versions of websites, and detects the malware in those versions. This is often the reason why review requests are rejected.
Manual cleanups are difficult to perform thoroughly, especially on large websites. There is a big chance that something could go wrong, the site breaks and is then irretrievable. That’s why we also recommend you backup your working website, regardless of malware, as soon as possible.
Finally, even WordPress security experts use tools and coding skills to remove malware. Additionally, they are plugged into the ecosystem, and are aware of the new variants of malware that crop up. If you decide to avoid a plugin, a security expert is still a better choice than manually cleaning the website.
4. Fix bad SEO practices
Black hat SEO is just a bad idea for your website and your business. Google takes a very serious view if your website has any of the hallmarks of bad SEO.
It is understandable that you want visitors to your website, and sometimes the sanctioned strategies take too long. However, trying to manipulate search engines is a short-term solution, with long-term consequences.
So if your website has any of the following workarounds, please remove them before requesting a review:
- Cloaking: Make sure that Google sees the same version of your website that a visitor sees
- Scraping: Don’t use bots to scrape data off other websites
- Keyword stuffing: Focus on building useful content, and then optimising with keywords
- Paid backlinks: You can approach other website admin to exchange backlinks if their content and yours are connected. You will also get better traffic as a result of doing this.
- Duplicate content: Develop your own content and delete any copied content
There are other SEO strategies that Google frowns upon. The rule of thumb is to provide value to visitors with your content, products and services, and avoid anything that is remotely deceptive.
How to Remove Site from Google blacklist warning
At this stage, you need to be 100% certain that your website is free of malware. Run a scan to double-check before proceeding to ask for a review. This is an important step because if Google finds any trace of malware on your website, it will reject the review request.
It is also worth pointing out here that Google reviews these requests manually. Therefore, if you have too many rejected requests, Google will flag you as a ‘Repeat Offender’. After that, you will need to cool your heels for 30 days before filing a new request.
Google blacklist removal steps:
- Go to Google Search Console account
- Click on the Security Issues tab, and navigate to the bottom of the screen
- Hit the ‘Request a review’ button
- Use the form to indicate all the steps you took to resolve the security issues
After submitting the form, be patient. Each request takes a few days to be resolved, but there is nothing you can do to hasten the process. In fact, if you do try and follow up too many times, that will also land you on the repeat offender list. So yes, be patient.
What if your site doesn’t have any malware and the review request is rejected?
There are a few cases where the review request is rejected by Google, saying that they still detect malware:
- The cache wasn’t cleaned: As a part of the post-cleanup checklist, please clean your WordPress and browser caches. If you don’t clear the website cache, Google will flag malware once again, and will not remove your website from the blacklist. You can then access some of the flagged pages, and if they return a 404, you know they don’t exist on your website.
- Old links as remnants: Check the scan results that Google shares with you, and see if any of the links still point to spam sites.
There is a chance that the malware wasn’t cleaned properly, especially if it was done manually. In this case, you will need to bite the bullet and get a security plugin to do the job. The manual cleanup wasn’t a success.
It is very unlikely that Google Safe Browsing shows false positives at all. So try resolving the issues as suggested above, and file another review request.
How Google blacklists your website
Google periodically crawls your website in order to index it for their search results. This means that it reads the content on your website to understand what purpose it serves, and accordingly shows it to its search engine users. This is done through Googlebot, which crawls the websites on the internet to index them automatically.
Googlebot scans website code and checks it using an algorithm to see if it is malware. If the scan detects a malware, it immediately blacklists the site depending on the malware or deceptive content detected. Google also blacklists sites that violate their policies, like the use of black hat SEO.
To see if your website is on the blacklist, you can search for it on Transparency Report.
How to avoid being blacklisted by Google in the future
The only thing left to do now is to make sure that you stay off the Google blacklist in the future. The top reason Google blacklists websites is because of malware, and malware is getting more sophisticated by the day.
Therefore you need to invest in your website security. It will stand you in good stead. Here are a few things you can do right away:
- Install a good security plugin with an integrated firewall
- Harden your WordPress website
- Install SSL, if you haven’t already
- Update your WordPress core, plugins and themes
- Review your users and password regularly
Apart from the website security angle, make sure to only use white hat SEO practices. It is just not worth the hassle if you don’t.
Why does Google Search Engine flag hacked websites
In all cases, malware on websites is caused by compromised website security, so it is not your fault. So you may be wondering why your website has been blacklisted by Google.
Google wants to protect its users from malware that can steal their identity or data, or infect their devices, therefore it blacklists any websites that use deceptive practices or contain malicious code. The types of hacks that Google flags are:
While the malware isn’t your fault, there are ways to protect your website. Therefore since the malware is on your website, it becomes your responsibility to deal with it.
What is the impact of Google blacklist on your website
The consequences of a hacked website range from bad to disastrous. There is obviously no good outcome, but some people are unaware of just how bad it can be. Here are a few of things that we have seen websites experience when they have been hacked:
- Suspended site by web host
- Loss of visitors and revenue
- Reduced site performance
- Legal issues
- Unhappy clients
- Data theft
All of the above also leads to financial losses, either directly with loss of revenue and cleaning costs, or indirectly through time and resources spent on damage control. All in all, it is a terrible situation to be in.
While there are many reasons why Google can blacklist your website, malware is the most serious and the hardest to recover from. You can give your website its best chance at security by installing a good plugin.
Have questions or comments? Drop us a line! We would love to hear from you.
Why is my website showing as dangerous?
Your website is showing as dangerous because your website has been hacked. Your website has been blacklisted by Google, and now browsers are showing the dangerous warning in the URL bar to warn users from visiting a hacked website.
The best way to fix the problem is to install a security plugin on your website and clean the malware. After that, you need to request a review from Google to get your website removed from the Google blacklist.
How to fix the Google blacklist warning?
To fix the Google Blacklist warning, you need to address the issues that got Google to flag your website in the first place. Start with the email that they sent, and figure out the reasons for the URL blacklist. The biggest reason to land on the blacklist is the malware on your website.
Use a security plugin to clean the malware on your website. Then request Google for a review to remove site from Google blacklist warning.