Spring Savings 80% off on all Shared Hosting Plans + FREE Migration View Deals
Spring Savings
80% off on all Shared Hosting Plans + FREE Migration View Deals

What to Do if Your Website is Marked as Harmful

Updated on Jun 15, 2023

Google is very proactive when it comes to protecting internet users. Every day the search engine scans millions of websites for viruses, spyware, and other malicious software that could endanger website visitors. If Google detects malware on your website, it will flag it as a risk and notify all potential visitors. The warning will be shared across all Google products, so do everything you can to clear your website of malware and take all necessary precautions to avoid it in the future.

It is understandable to be concerned if your site gets flagged for malware, especially if you are unfamiliar with the malware details and Google’s Blacklist. Because of the warnings users begin to see, most will not enter your website and may never try again. This will inevitably result in a significant decrease in web traffic, the demise of online profits, and a negative impact on search engine rankings. Your website could even get blocked for all Google Chrome users.

Every day, Google adds around 10,000 websites to its blacklist. Security warnings, diagnostic pages, and hack indicators can be difficult for most website owners to comprehend. Fortunately, you’re reading a guide that will inform and assist you in understanding everything you need to know to clear your site of malware and how to keep it safe and secure for as long as possible.

This post includes:

What is Malware?

Malware is an abbreviation for malicious software, which is any software intentionally designed to harm servers, computers, or computer networks.

Malicious software comes in various forms, including scripts, executable applications, and executable files. Hackers who deploy such malware have a variety of goals. Here’s what they can do to your site for their own benefit:

  • Redirect your website elsewhere to steal your traffic;
  • Obtain sensitive information from your website or its visitors;
  • Steal money from your website;
  • Inject links that lead to their website to improve their SEO score;
  • Create spam pages;
  • Delete or replace data with the idea of getting ransom money in exchange for giving it back;
  • Make fraudulent purchases on your website;
  • Launch denial of service attacks.

Malware can infect a website after a successful brute force attack, Cross-Site Scripting (XSS) attack, or SQL injection attack. XSS attacks allow attackers to inject client-side scripts into web pages that other users view. Attackers may exploit cross-site scripting vulnerabilities to circumvent access controls like the same-origin policy.

SQL injection is a web security vulnerability that allows attackers to interfere with an application’s database queries. Attackers can view data that they are generally not able to retrieve. That may include data from other users or anything else the application can access. The attacker can often modify or delete this data, causing persistent changes (damage) to the application’s content or behavior.

Malware can also infect your website via a content management system, theme, or plugin vulnerability. There are many types of malware, including:

  • Spyware
  • Adware
  • Viruses
  • Keyloggers
  • Ransomware
  • Trojans
  • Worms
  • Rootkits

What is the Google Blacklist (aka Blocklist)?

Google is the most popular and influential search engine in the world. As a result, its overarching goal is to provide all users with a secure online experience. Google constantly invests resources to identify and flag all potentially malicious websites and add them to their blacklist. By doing so, the search engine warns anyone who attempts to access an infected website. Google advises users to proceed cautiously and notify the site’s owner of the problem. The fewer users who visit an infected website, the less effective the malware will be.

When a search engine blocks a website, that website is removed from its index. Simply put, it no longer exists in the search engine’s list of websites to crawl. When a website is blocked, it loses nearly 95% of its organic traffic, which can be disastrous for sales and overall revenue.

Common Indicators of a Blacklisted Site

These are a few things that can happen when visiting an infected or blacklisted website or things your host or computer will do to prevent the malware from causing any damage.

  • Your computer’s antivirus blocks a website partially or entirely;
  • Search engine results say, “This site may be hacked”;
  • When you visit the website, you get stopped on the warning page;
  • For the sake of shared server security, your web host can shut down your website after, typically, notifying you about it first;
  • SEO spam links and redirects will start appearing in Search Engine Result Pages (SERP);
  • Unexpected changes to files or the addition of unfamiliar ones;
  • Safe-browsing warning page displays before reaching the site.

Check If Your Site Is Blacklisted

If you want to find out your website’s blacklisting status, you can use the Sucuri SiteCheck scanner. It will check for blacklisting status and visible malware incursions. If you are using WordPress, there is an excellent plugin that can help as well. You can install the free Sucuri WordPress security plugin to automate security scans.

Another WordPress plugin that can help you is Wordfence. It is the most popular WordPress security plugin and comes in both a free and a premium version. Fortunately, the free version should work well for most malware situations.

Once you have installed and activated Wordfence, go to Wordfence → Scan to run a malware scan.

Additionally, if you need help with WordPress, please visit our thorough WordPress tutorial.

Reasons for Sites to Get Blacklisted

Sites get blocked when authorities (Google, Bing, McAfee, SiteAdvisor, etc.) find irregularities they believe to be malware. Malicious software can come in many forms: phishing schemes, trojan horses, email, pharma hacks, or information scraping. In most cases, website owners are unaware they have been hacked.

It is in the search engine’s best interest not to display infected results, mainly because they don’t want their integrity damaged. There are various categories for blacklisting, depending on why the website is blocked. Some websites are blocked for having phishing links, others for having spam, or, more generally, for having malware.

Malware Blacklist Examples

These are some of the warning messages reserved for malware blacklists:

  • Suspicious site;
  • The Site Ahead Contains Malware!
  • This website has been reported as unsafe;
  • The site ahead contains harmful programs;
  • This page is trying to load scripts from unauthenticated sources;
  • The Site Ahead Contains Malware!
  • Did you mean [website name]?
  • Deceptive site ahead
  • Is this the right site?

Not all of the above messages are from Google. Not all browsers use the Google SafeBrowsing API to determine whether or not a website is safe. The warnings are there to alert you the website has been blacklisted due to getting hacked or having malware. Proceed with caution if you continue to the website.

You can see that message when visiting a malicious website using Google Chrome. The message differs slightly when using different browsers, such as Mozilla Firefox or Microsoft Edge. Still, in general, it says the same.

How to Review Warning Status

Work with Google Search Console to Review Security Warnings

Google must protect all users from potentially harmful websites that appear in their search results. A website repeatedly blocked for malicious behavior is subject to a single monthly review. The red splash page we showed earlier in the post and the warning next to your website in Google’s search results are intended to discourage visitors from entering your website. People are cautious and do not want harm done to their devices, so the warnings typically work.

When discussing Google’s blacklists and security warnings, we must also mention Google Safe Browsing. It’s a key page; you should know and utilize it as a website owner. The Google Safe Browsing page is a quick way to determine whether Google is blocking your site for malware or phishing content.

Additionally, Google Search Center will contain more specific information about your website security warnings.

Find Out What Is Blacklisted

You can and should determine the precise reason for Google blocking your website. Firstly, you must add your website to Google Search Console. If you still need to do that and don’t know how to do it, click here to go to the part of this article that describes the process. 

Once you are done, click Security Issues on your website’s Google Search Console tool page. The URLs that were detected and identified as malware can be found here. If the URL is a directory (folder), each page in it must be malware-free.

Here are a few examples of URL blacklists:

  • gallery.example.com/pages/page1.html – Only the page1.html file has to be cleaned up;
  • gallery.example.com/pages/ – Everything inside the /pages directory has to be malware-free;
  • gallery.example.com – The entire gallery.example.com website is infected and has to be cleaned up;
  • example.com – The entire domain and all its subdomains have to be cleaned.

Those examples can help you narrow your search to specific site sections.

Determine When and Why the Blacklist Happened

The following task is to determine when Google last discovered the suspicious content (the discovery date). These dates are listed next to the URLs in the Detected Issues section.

If you want Google to be aware of your most recent changes, you must request a malware review through the Google Search Console tool. Because of this, Google will rescan your website within a few days. To do so, go to the Security Issues section and click the Request Review button to submit your site.

Google SERP Malware Warnings

When your website appears in Google, search engine result pages (SERP) warnings indicate whether your site contains spam or redirects. They can also be activated when your compromised website is used to infect visitors with malicious software via drive-by downloads. Although your site may not yet display the red warning page, these warnings may appear in search results. That could mean malicious scripts are being loaded from third-party websites, such as malvertising. Malvertising, or malicious advertising, is the use of malicious advertisements to spread malware and compromise systems.

Most browser blacklists use the Google Safe Browsing API. Visit the Google help pages for more information.

Scan Your Site for Malware

You can scan your site for malicious payloads, malware locations, security issues, and blacklist status with major authorities using the free tool Sucuri SiteCheck. To check your website for hacks and blacklist warnings using Sucuri SiteCheck, do the following:

  • Visit the Sucuri SiteCheck website and enter your website URL.
  • Click Scan Website;

  • If the site is infected, note any payloads and file locations found by SiteCheck.
  • View Website Blacklist Status to see if other authorities block you.

Note

If you have multiple websites on the same server, you should scan all of them for malicious content. Cross-site contamination is one of the leading causes of reinfections. For security reasons, it’s recommended that every website owner isolates their websites on separate hosting accounts.

How to Fix Blacklist Symptoms

There are two main places where malware can reside: a website’s files and its database. Below you will find some advice on how to handle both those cases.

Remove File Infections

Removing files is the easier of the two ways to eliminate malicious content. However, we must warn you that removing a file is not a surefire way of cleaning your website. Sometimes it will work, but other times the infection will be deeply rooted and may require more than the deletion of files. Our services come pre-equipped with malware scanners and cleaners, which can help with the process. Nonetheless, we always advise our customers to contact professionals regarding the security of their websites.

File Replacement

If you use a CMS such as WordPress or Joomla!, you can rebuild the site using fresh, uninfected copies of the core files and plugins directly from the official repositories (or by using Softaculous or the WP Toolkit in cPanel).

Additionally, custom files can be replaced with a recent backup as long as the files in the backup are not infected themselves. Fortunately, FastComet provides daily backups for all clients. 

Malicious Domains and Payloads

If Sucuri SiteCheck or Google Search Console detect malicious domains or payloads, you can begin searching for those files on your server. The discovery date can help you narrow down your search to files that were modified around that time.

To manually remove a malware infection from your website files (NOT database), follow these steps:

  • Log into your server via sFTP or SSH;
  • Create a backup of the site before making changes;
  • Search your files for references to the malicious domains or payloads you noted;
  • Identify recently changed or unfamiliar files;
  • Restore any suspicious files with copies from the official repository or a clean backup;
  • Replicate customizations made to your files;
  • Double-check to verify the website is still operational after your changes.

To avoid detection, hackers frequently change malicious sites. As a result, Google’s Security Issues page may mention malicious or intermediary domains that are no longer visible on your site because new domains have replaced them.

If you can’t find the malicious content, try looking for the domain names listed on the diagnostic page.

Manually removing malicious code from website files can be exceptionally hazardous. Do not perform any actions without a backup. If you are not entirely sure, you should seek assistance from a professional. Do not overwrite your CMS configuration files. On WordPress, this includes the wp-config.php or wp-settings.php files.

How to Clean Hacked Database Tables

To remove a malware infection from your website database, use your database admin panel to connect to the database. In cPanel, most hosting companies (including FastComet) offer phpMyAdmin.

To manually remove a malware infection from your database tables:

  • Log into your database admin panel;
  • Backup the database before making changes;
  • Search for suspicious content (spammy keywords, links);
  • Open the specific table that contains suspicious content and manually remove it;
  • Test to verify the site is still operational after changes;
  • Remove any database access tools you may have uploaded.

Warning

Manually editing and removing content from a database can also harm your website’s functionality. We strongly suggest you contact a professional to do it for you.

Prevent Reinfection

Hackers almost always leave a way to re-enter your website: backdoors, such as malicious admin users, PHP web shells, and overlooked vulnerabilities. That can lead to your website getting blocked again.

Review User Accounts

Make sure that user accounts are not overlooked. Often stolen passwords are what allow hackers to re-enter your website. If you want to clean up your user accounts, follow these steps:

Warning

These functions are sometimes used by plugins. That’s why you need to test any changes. Most malicious code we see uses some form of encoding to prevent detection. Besides premium components that use encoding to protect their authentication mechanism, it’s rare to see encoding in official CMS files.

Identify Backdoors

Backdoors are often embedded in files with similar names to CMS core files but located in the wrong directory. Attackers can also inject backdoors into legitimate files.

Backdoors commonly include the following PHP functions:

  • str_rot13;
  • base64;
  • eval;
  • gzuncompress;
  • create_function;
  • exec;
  • assert;
  • system;
  • preg_replace (with /e/);
  • stripslashes;
  • move_uploaded_file;

All backdoors must be removed to clean a website hack successfully. Otherwise, your website will get reinfected quickly and added to the blacklist.

Secure Computing

Do not exclude the possibility that infections can jump from a computer to your site by using CMS or file transfer apps. You need to secure all computers used to access your website — have all users scan their personal devices with an antivirus program to find out if there are any infections.

Here are some antivirus programs we recommend:

Free

Paid:

  • F-Secure
  • BitDefender
  • Kaspersky

Remove Your Website From Blacklists

Once you have fixed everything, it is time to unblock your website and return it to working order!

Get Google Search Console

To remove the blacklist warning, you must let Google know you have completely cleared the infection. You must have a Google Search Console account to do this.

To verify ownership of your website in Google Search Console:

  • You will be directed to a quick guide. Feel free to read it. To continue, click on Go to Search Console;
  • Type in your site’s URL and click Continue;

  • Sign in to your domain name provider;
  • Copy the TXT record below into the DNS configuration for your domain;

  • Click on Verify. If you were successful, you should see the following message. If you do, click on Done;

Other Website Blacklists

Google Safebrowsing is not the only website blacklist. As mentioned, many other authorities use Google’s API to add malicious websites to their blacklists.

Antivirus programs and other search engines also want to warn their users when a website is dangerous. Each has its own console and review process. To remove your site from their blacklists, you must follow some steps to let them know your website is clean.

Use SiteCheck to scan your website for malware in the first step. The results will indicate if some of the top authorities have blacklisted your site. The review process is similar to Google Search Console. For example, the McAfee blacklist has a review submission form, and both Yandex and Bing have webmaster tools for which you should sign up.

Other popular blacklist authorities:

  • McAfee SiteAdvisor
  • Yandex Blacklist
  • Bing Blacklist
  • PhishTank
  • Norton SafeWeb
  • BitDefender
  • Spamhaus
  • ESET

Request a Security Review

If you don’t request a review, Google may decide you haven’t finished your site cleanup. When you order a review, you are telling the search engine that you are ready for them to rescan your site. Google limits repeat blacklist offenders to a single review request every 30 days. Remember that you should not try to trick Google — this may lead to not passing the review process. Ensure that your site is clean before you proceed with the review. To request a security issue review from Google, do the following:

  • Navigate to the Security and Manual Actions tab in the Search Console;

  • Go to Security Issues and review the issues to confirm all have been cleaned.

For further guidance on how to use the Google Search Console, visit the official source.

The process will be similar for other blacklists like McAfee, Bing, Yandex, and Norton.

Protect Your Brand

After you have submitted the blacklist removal request, it may take a few days for Google to review your website and have it reindexed.

If the title and description of your pages were infected with spam, it may take some time for your search results to clear up. The reason for that is Google doesn’t crawl websites every day.

Fortunately, in the Search Console, you can ask Google to refresh certain pages and the links on those pages.

To make Google recrawl your site:

  • Use the Inspect any URL search box at the top of the Search Console to search your URL;
  • Click the Request Indexing button to the right.

That will ensure Google can view your website without errors and resubmit it for indexing if successful. If the search console encounters any errors, you must review them and ensure your website is accessible to the Google bot.

Upon success, you should receive this message: “URL was added to a priority crawl queue. Submitting a page multiple times will not change its queue position or priority.”

That will instruct Google to crawl your homepage and any links on it. If any other pages show in Google search results with spam in the title and description, you can also crawl those pages separately.

Note

Google Search Console allows you to crawl 500 single URLs, and only 10 with direct links, per month. These ten are best used to crawl pages with many internal links, such as a public sitemap or your homepage.

Remove Spam URLs

If spam pages were removed from your site, Google might have already indexed them. When removed from your site, the spam pages can create 404 (Not Found) errors. You can use the URL Removal Tool to tell Google these spam pages should be removed from their index.

To remove spam URLs causing 404 errors:

  • Navigate to the Index tab in the Search Console;
  • Click the Removals section;
  • Click the New Request button;

  • Enter the URLs of spam pages that have been removed;
  • Click Continue.

Warning

This tool removes pages from Google searches. This option helps after you remove spam pages so that Google knows they are not part of your site.

How to Prevent Future Hacks & Blacklists

Focus on Website Protection

Consider taking additional steps to harden and protect your website to prevent future blacklisting. Those include applying updates, maintaining a good website backup strategy, managing user privileges, and implementing website security controls.

The number of exploited vulnerabilities grows daily. Trying to keep up with that can be a daunting task. Website Firewalls were invented to provide a perimeter defense system surrounding your website. 

Benefits of using a website firewall:

  • Prevent a Future Hack: A website firewall stops infections from reaching your website by detecting and blocking known hacking methods and behaviors;
  • Virtual Security Updates: Hackers tend to exploit vulnerabilities in plugins and themes, and unknown ones are constantly emerging. A good website firewall will patch the holes in your website software even when you haven’t applied security updates;
  • Block Brute Force Attacks: A website firewall should stop anyone from accessing your admin or login page if they are not supposed to be there. That way, brute force automation will fail at guessing your password;
  • Mitigate DDoS Attacks: Distributed Denial of Service attacks attempt to overload your server or application’s resources. By preventing DDoS attacks, a website firewall makes sure your site is available even if you are being attacked with a high volume of fake visits;
  • Performance Optimization: Most WAFs will offer caching for faster global page speed. That keeps your visitors happy and is proven to lower bounce rates while improving website engagement, conversions, and search engine rankings.

With FastComet, you also get Imunify360 and other powerful extras

Additionally, if you use WordPress, you should always use the latest version of WordPress.

Summary

If your website is ever blacklisted, then your traffic will drop dramatically. It can also cause irreparable damage to your reputation, as Google actively warns visitors to stay away from your website.

Fortunately, there are ways to monitor Google’s blacklist. All we have shared in this guide should help you remove your website from it as quickly as possible.

We hope you find this article useful. Discover more about FastCloud - the top-rated Hosting Solutions for personal and small business websites in four consecutive years by the HostAdvice Community!

SSD Cloud Hosting

  • Free Domain Transfer
  • 24/7 Technical Support
  • Fast SSD Storage
  • Hack-free Protection
  • Free Script Installation
  • Free Website Transfer
  • Free Cloudflare CDN
  • Immediate Activation
View More
FastComet Rocket Around Cookie

To provide you with the best experience, our website uses cookies. By continuing to browse the site you are agreeing to our Cookie Policy.