Fix “The Site Ahead Contains Harmful Programs” Warning in Google

Google believes your site may have been compromised and has put your site on their infamous blacklist.

Visitors to your site see the ‘The site ahead contains harmful programs’ warning, and probably leave. They worry your site could lead to their device getting hacked. Soon, your traffic drops, and you lose revenue and reputation.

Harmful programs = malware. Scan for any malware hidden on your site.

While this is scary, the good news is that it is fixable. Even if your site has harmful programs, we can help. It’s important to deal with it quickly, because the longer malware stays on your site, the greater the problems.

TL;DR: Scan your site for harmful programs in seconds. This kind of malware can hurt your site, you, and your visitors by taking information and using your site’s resources. Google has marked your site to keep visitors safe.

What the ‘The site ahead contains harmful programs’ warning means

The warning ‘The site ahead contains harmful programs’ means that Google found harmful software or spam on your site. These warnings come up if Google detects a hacked site. These types of alerts are known as Google’s blacklist.

Chrome, other browsers like Firefox and Safari, and Google show this warning when a user clicks on a site that has malware or isn’t safe. This may be because it’s a phishing site or may send visitors to harmful websites.

This is part of Google’s effort to keep users safe from risky websites. While searching sites, Google might find hacks or spam, like phishing scams or redirect malware.

There are similar red screens, like deceptive site ahead or ‘This page is trying to load scripts from unauthenticated sources’.

You can bypass the warning by clicking on “Details” and proceeding, but most people will stay a mile away.

You can see if your site is on this list by using Google’s Transparency Report tool.

Why is this message on your website?

The warning shows up because your site might be hacked. Google’s scans have found a problem, and now it’s your turn to fix it.

Malware is usually the reason for this message, but not always. Maybe your site isn’t hacked, but a plugin is pulling from a risky site. Or there might be spam links or harmful software in your site’s comments.

It’s important to tackle these issues. Start by scanning your site for harmful software and cleaning it if needed. If it’s not the software, the other issues are easier to fix and can be handled afterward.

Other ways to know if your site is hacked

You might notice obvious signs of hacking, or nothing at all. It depends on the attack.

Site admins often find out last because hackers hide malicious code well.

Here are some common signs:

And so on. Each hacked WordPress site will behave differently.

Fix ‘The site ahead contains harmful programs’

There are three main steps to solve this issue:

• Remove the hack from your site.
• Submit your site to Google for reindexing.
• Protect your site from future attacks.

In this article, we’ll guide you through the process. We’ll also explain the different methods available, along with their pros and cons, to help you choose the best option.

Step 1: Remove the harmful programs from your site

Start by tackling the main issue: removing the hack.

There are two main ways to scan for and clean hacks from your site: using a dedicated security plugin or doing it yourself.

A plugin is the best option, as it does the heavy lifting. It takes a fraction of the time it would take to manually go through your site’s code and database. Plus, a plugin finds all instances of hacks and backdoors, which can be otherwise missed.

So, while manual scanning and removal might initially seem appealing because they’re free, they can become costly over time.

Option 1. Use a dedicated WordPress malware removal plugin

Install and activate MalCare on your WordPress website. Wait for the sync to complete, then view the results. The scan results will show if your site had malware on it, and you can simply click on Clean malware to get rid of it in minutes. 

And that’s all there is to it. From start to finish, this process should take less than 5 minutes for a medium-sized site; perhaps a few minutes more for larger sites. It is the best way to rid your site of malware. 

On the off chance that your site is offline because your web host discovered malware on it before you did, write in to them to request whitelist yours and MalCare’s IPs. Get in touch with our support team, and they’ll take you through the next steps.

Option 2. Hire a WordPress maintenance service or expert

The next best solution is to hire a WordPress maintenance service. These agencies have experienced developers on their team, and you can rest assured that your site will be squeaky clean at the end of it. 

However, there are 3 things you must keep in mind with a maintenance service:

• You’ll have to wait for their availability, especially if they are good agencies.
• They will rarely guarantee the cleanup. So if your site gets hacked again, you’ll have to go through this all over again.
• They charge for their expertise, which is valuable and at a considerable premium.

Option 3. Remove the malware from your site manually

In order to remove malware from your site manually, you really need to be a WordPress expert. Otherwise the risks are too great. And frankly, if you had the kind of chops needed to remove malware on your own, you wouldn’t need this article. 

We have seen sites getting hacked and then destroyed beyond repair because of botched cleanups. There are plenty of videos and articles that will claim to help clean up malware, but they are necessarily limited in scope because malware varies so widely. So one set of instructions is bound to leave out something critical for a different set of circumstances. 

It is vastly better and less stressful to use a WordPress security plugin that scans and cleans the malware, and also protects it from attacks in the future. 

If you choose to go down the manual malware removal path, then please backup your site first. If anything goes wrong, a malware-ridden site is still better than no site.

1. Connect to your site server with FTP or SSH, or use cPanel’s File Manager

You’re going to be digging through the files of your site, so you need to access them. We recommend using FileZilla, a popular FTP client to connect to your site. You can easily see the site files, and open them up for editing as required.

Alternatively, if you are comfortable with the command line, you can use SSH instead. There is also cPanel’s File Manager, if your web host provides it. 

2. Get your site online

Hacked sites are bad news for web hosts, so a lot of them will take them offline as soon as they discover a site has malware. If this is the case with you, write into your host’s support and ask them to whitelist your IP for malware removal. 

While you’ve got them listening, ask them for the results of their site scans. These will show up where malware was detected, and can be a starting point for this quest you’re about to undertake. 

3. Take a full site backup

Cleaning your site is going to involve digging through site code and the database. Making changes to the gears that run your site is fraught enough on a good day, and we still would recommend a backup. With malware, the stakes are different. At any moment, your site could go up in flames, and you’d be left looking at the ashes. A backup will help you restore your site, albeit with malware, and start again. It is like having extra lives in a video game—you need them for the boss fight. 

Take a backup in minutes with BlogVault. BlogVault is one of the few WordPress backup plugins that has offsite backups, so it is unaffected by anything the web host does. Even if your host deletes your site, your BlogVault backup remains completely intact. 

4. Download installs of WordPress, plugins, and themes 

Make a list of all the installed software on your site, along with their version numbers. Then, download fresh installs of them all from the WordPress repository or from the developer sites. Make sure to get the same versions as those on your site.

If there was nulled software installed on your site before, do not under any circumstances reinstall it again. In 99% of sites with nulled software, they are the entry points for malware. 

5 Compare the code of your site with that of the new downloads

Here is where things get tedious. You need to open each file in each directory and compare code line by line to find anomalies. And then you have to analyse each one to figure out which ones are malware and which ones are custom code. 

To (marginally) speed up this process, make a note of each anomaly and come back to it later. This will also help you figure out the connections between code, because malware often splits into different pieces to avoid detection. 

For instance, a harmless-looking .ico file could call up a script in a file. The script could be further broken down into many parts, so that each individual piece looks harmless to ordinary malware scanners looking for signatures. (As an aside, this is why MalCare’s scanner is so much better. It doesn’t rely on just signatures but analyses the intended behaviour of code to flag malware.)

6. Check for fake plugins

Malware also sometimes takes the liberty of installing itself as a fake plugin. Fake plugins look like junk versions of real ones, with ridiculous names like wp-zzz. They often have very few files and folders, and will generally have obfuscated code that makes no sense. 

Since you have the guts of your site spread out in front of you, and you have now gone through all the legitimately installed software, look for orphan files and directories. These haven’t shown up anywhere in the fresh installs: WordPress, plugins, or themes. 

Before writing them all off as malware though, there is a chance that some of this code is custom to your site. Contact the developer that put it together to check before deleting anything. For instance, people use custom or must-use plugins to control automatic updates on their site. 

7. Install WordPress on your site

At this point, you should have identified all the anomalies on your site—both good and bad. Now it is time to start cleaning out the malware. 

Replace the wp-includes and wp-admin folders completely. 

Next, look at the single files in the root directory. Before replacing them, check the following ones: 

• index.php
• wp-settings.php
• wp-load.php
• .htaccess

There may be extra code in these that isn’t there in the downloaded installs. These could be legitimate modifications, like whitelist instructions in the .htaccess file, but could also be malicious. Vet the code carefully, and then proceed to replace. 

The wp-config.php file doesn’t exist in the WordPress download, as it is generated afresh during installation. Check this file for malware, and delete any code that looks odd from it. 

In the wp-content folder, ignore the plugins and themes folders for the moment. Focus on wp-uploads which, as the name suggests, contains media uploaded to the site. This folder should not have any executable files. Any PHP or JavaScript files you see should be removed immediately. 

8. Clean malware from your plugins and themes

Plugins and themes are a little more complicated to clean because the files may have different code, depending on your installation. In any case, repeat what you did to clean WordPress’ files, and you should be in good order. 

After having done this, check if your installed versions have declared vulnerabilities. If major updates are available, please do update to those after all this is over. 

9. Clean the database

Use phpMyAdmin or another database management tool to download a copy of your database. The WordPress database is a very critical part of your site, so be very careful about these next steps. 

Scan each table and row of data for malware code. The database contains all user-generated content, like posts, pages, comments, and so on, in addition to major configuration settings, like site URL and usernames and their hashed passwords. In short, there is a lot to go through, and it is all important so be careful. 

10. Look for backdoors

Backdoors are a type of malware that allows reentry to a site once the main malware has been discovered and removed. They are often hidden in clever ways, and can be difficult to find in the first sweep of the site. 

I recommend going through the site code and database once again to look for the following keywords: 

• eval
• base64_decode
• gzinflate
• preg_replace
• str_rot13 

These are typically functions that are used to gain programmatic access to a site, so all are not bad. However, since they’ve been abused by hackers, most legitimate software has stopped using them entirely. 

As always, use discretion and be careful whilst removing them from your site. 

11. Reupload cleaned code and database

You can ignore this step if you were working with FTP, SSH, or with File Manager. In case you were cleaning a downloaded copy of your site, it is now time to push it all back to your live site. 

12. Clear all your site’s caches

Caches store older versions of your site for quick loading. Now that your site is malware-free, you want to flush all these out so your visitors will see the clean site. Also, if there is a cached version of your site with malware, Google will reject the review request. 

13. Scan your site with a malware scanner again

Granted, this is a check but it will help you confirm that your site is indeed clean. It is validation of your effort and will give you peace of mind. Getting here wasn’t easy, so celebrate this incredible achievement!

Step 2: Remove the “the site ahead contains harmful programs” warning

The next step in this process is to get the “Site ahead contains harmful programs” notice removed from search results. 

Google’s appeal process is fairly straightforward, but before you do anything you must ensure that your site is completely free of malware. Each of these review requests are addressed manually, so repeated ones, while well-intentioned, will earn you a ban of 30 days. The key to getting rid of the notice is to exercise patience and restraint when dealing with Google. 

Now, onto the steps: 

1. Log into Google Search Console, and go into the Security Issues tab. 
2. Scroll right to the end and click on Request a review. 
3. Complete the form with as much detail as you can provide about the steps you’ve taken to address the issues. 
4. Finally, submit the form. And wait.

What to do if Google rejects your request

Google may reject your request if its scans still show malware. If you’ve cleared the caches, you can check if links or assets point to hacked sites. we’ve seen a few sites where an image was from a website that was hacked. This would be the case with stock images in themes for instance. 

You also may have missed malware, if you cleaned the site manually. In this situation, bite the bullet and get MalCare. The support team will help  you get rid of the malware, and will walk you through the steps of the review request as well.

Step 3: Prevent the warning from coming back

WordPress sites often get hacked. This is not because WordPress is insecure; it is actually quite the opposite. WordPress sites get hacked because of poor security practices. With a little bit of care, you can prevent 99% of hacks on your site.

In spite of all this, if your site gets hacked, that’s ok. No security is 100%, and anyone who says otherwise is not being truthful. However, with MalCare, you will find out about the hack during your next daily site sync, and will be able to remove the malware in minutes. 

Why is your site showing this warning? 

Now, let’s look at the possible causes behind this warning in detail.

Impact of the warning on your site

Malware on your site has both short and long term effects. Visitors leave hacked sites in droves because they fear the consequences. And they are right to do so, because social engineering attacks that are out to steal their information are increasingly prevalent. 

But that’s just the tip of the iceberg. Malware has caused: 

• Lost revenue for both service and product businesses
• Sites to lose their SEO rankings and traffic
• Web hosts to suspend or even delete sites
• Sites to lose reputation and brand value 

The cost of malware is both direct and indirect. Malware removal by experts is expensive. Lost time is expensive. Effort and resources ploughed into the site in the first place are expensive, and cost more than a pang to lose to malicious hackers. 

All in all, declare a war on malware and protect your site. The consequences of not doing so are dire.

Conclusion 

“The site ahead contains harmful programs” Google chrome warning is literally and figuratively a huge red flag. It means nothing good for the site owner and visitors and can cause big losses. 

Malware should never be taken lightly, and should be addressed as soon as you become aware of it. With MalCare, you can rest assured that your site is protected and has the best WordPress security available. 

Now that you’ve experienced the “The site ahead contains harmful programs” chrome warning, hopefully, you have been able to resolve it and save your site. It is a good time to start getting a good understanding of WordPress security as well. There is a lot of misleading information out there though, so be skeptical and err on the side of safety always.

FAQs