Understand and Fix Google Blacklist Warnings.

Alycia Mitchell - Digital Marketing Manager

If your website has been blacklisted by Google, you can instantly lose 95% of your traffic.

Join Sucuri Digital Marketing Manager, Alycia Mitchell, as she provides a step by step guide to fixing Google blacklist warnings. This webinar will give you the knowledge to act fast and get rid of those big red warnings on your website.

Victoria • Canadqa • Home of Sucuri's
Alycia - Digital Marketing Manager

Alycia Mitchell


Alycia is the Digital Marketing Manager at Sucuri. She's passionate about teaching cyber security best practices and fond of open-source, analytics, and malware. A nature and wilderness lover, she has deduced that they are strangely enough a lot like the internet.

Questions & Answers

Question #1: Can you clarify the repeat offenders limit with blacklisting?

Answer: If Google knows you are a malicious site, and you go back to doing malicious things after the blacklist is lifted, they may limit the number of review requests to once every 30 days.

Question #2: When I type in Google site:mysite.com, I have many results that are the hack content and not only my actual content, how can I have them easily removed from Google?

Answer: You can use the URL Removal Tool in Google Search Console. Be careful though, this removes pages from the Google index! If there are too many spam URLs you can use a robots.txt directive – read Cesar’s article for more specific steps.

Question #3: My site was blacklisted and then it was cleaned up. However the domain is blocked on many servers. What can I do to fix that?

Answer:You can check if you are on other blacklists for free at Sucuri SiteCheck and VirusTotal. Keep in mind there is a waiting period after submitting a review with each individual organization.

Question #4:The blacklist is on page level, not on site level right?

Answer:It depends on the hack. Google Search Console should show which particular files are affected (if it the URL ends in .php or .html), directories (if it ends in with a slash), or subdomains.


Alycia Mitchell

Thanks very much, Val, for that introduction and thanks everyone for joining today. I come from Victoria, BC, which is on a small island on the west coast of Canada. We are a globally distributed company and Sucuri so all of us work from home. If any of you remember my webinar last time on Removing Spam from Google Analytics, you might remember my black lab, Moonshine, I like to show off my animals. I've actually gained two more in my animal family here and you guys keep me company and keep me sane when I'm home all day working. They're actually here right now and they might make an appearance at some point. It's also a good idea to start slides with cute animal photos. Now, we can just jump right in to the content.

First of all, we're going to talk over a few different sections here. For anybody unfamiliar with the Google blacklist, we're going to talk about what it is, what it looks like, what some of the different warning messages are, and why they happen. Then, we're going to talk about why your site's blacklisted. If you wake up to that red warning one day, what is the steps you're going to take to find out how your website was hacked, what it's hacked with and what you're going to need to know to clean it up, which we'll talk about in the last section, including how to request a review from Google to get that warning taken down.

For anybody not familiar with the Google blacklist, you might have recognized the page, a big red warning if you ever click a link in Google search and it takes you to a website that they suspect is hacked or is malicious, it's going to warn you first. That big red page there, you can see there's a button at the bottom, back to safety, which most people click. I know I do. Very few people actually click the details link to find out more or to proceed to the site if it's been flagged and blacklisted in this way.

We actually put a little poll on Twitter before the webinar to find out what people thought about how much traffic is actually lost if your website's blacklisted. About 50% of people got it right, 95% of your traffic will not proceed if they get one of those red warning pages. I mean, it is pretty stark, the giant red warning telling you it's dangerous so you really don't want to proceed so it can be huge, especially if you're running a website where you make sales and you're losing customers and losing any business. Obviously, huge amount of traffic. Only about 5% of people, perhaps even less, proceed through to the website once it's been blacklisted.

Here's another version. This is what it looks like in Firefox if your website's been blacklisted. They do have their own blacklist and there are lots of blacklisting authorities out there aside from Google. A lot of them do use the Google Safe Browsing API as part of their list. Google logo actually is the largest one and they blacklist about 10,000 websites every single day so that's 10,000 website owners waking up every morning and finding that their site has this warning, and then having to deal with it.

There are other ones as well. For example, Safari has their own list and this is what it looks like. Most website owners, like I said, don't actually find out their website's been hacked until Google blacklists it or maybe a customer mentions the blacklist to them. What you can do, though, to make sure that you get the jump on Google, if your website is ever hacked, is to have some kind of monitoring and alerting system checking your core file integrity, checking to make sure that any changes to your system are authorized. We do offer something like that here at Sucuri, we offer both service side and remote scanning for a whole picture. We do have alerting and a specific blacklist alerting system as well that checks the top ten and lets you know as soon as we detect that it's been blacklisted and, of course, before that if we detect a hack.

There's two major kinds of blacklists, at least how I see them. There's website malware warnings where Google's detecting that there is a malicious trafficking sent to your site from a hacked site. That could be because your site's now hosting hacked content that the attackers are sending to your site, basically abusing your server resources or if your website's actually redirecting to other malicious websites, if it has drive-by downloads, web spam or any other indicators compromise that Google found when it's been scanning through the internet, looking at websites to find out if there's any security issues.

The reason that Google does this is because it wants to protect its users. If Google users are using search, clicking links in Google Search, and then going to a website where their computers are getting hacked or personal information is getting stolen, people might start to think that Google's not the best search engine to use. Google definitely doesn't want its users to be infected with viruses, and rootkits, and ransomware, and that kind of thing. It has a vested interest in making sure. It's the same with many other blacklisting authorities.

There's also deceptive content warnings, which is different from actually website malware and redirects and that kind of thing. These usually refer to phishing and if you're not familiar with phishing, what it means is anytime that an attacker sets up a fake page in order to trick you into entering bank details, passwords, credentials, credit card information, that's known as phishing and it's basically forging pages. It could host those pages on your site, they could also be infecting ad networks. We see this with malvertising where, if you have AdSense ads on your site and you have some of those partner networks activated, sometimes those can funnel bad traffic through your site.

We write about this on the blog actually quite a bit. There's new ones as well for potentially unwanted downloads, so software that's kind of graywear or scammy and that kind of thing, they started to warn about that as well. Basically, anything that's trying to fake that it's something it's not, will be flagged as deceptive content here.

Here's a couple of those. This is, again in Safari, what it looks like. We've got one here for Chrome and this is one for Firefox for that unwanted software I mentioned and the new one here for Chrome as well. There's another one, actually, that's not technically, I guess, a blacklist, but it does appear in Google Search and these are warnings next to your search engine results. These can appear in conjunction with the blacklist, but sometimes you can actually see these before you get blacklisted. It could be, in the case of malicious script in iFrame that have been injected into your site. We'll see these warnings for the same kind of stuff


SEO spam and pharma spam, which is a big deal, especially for ... Pardon me ... A good deal, especially for pharmaceutical advertising. It's very difficult to advertise pharmaceutical sites so hackers will inject spam keywords links into hacked sites in order to try and link their pharmaceutical sites, which is why you might end up with a website with tons of pages that have Viagra references and that kind of stuff. It's no good, so if you see these in a search when you're looking at your site, you definitely want to check and see if there's any of these other security notifications in the Google Transparency page and Google Search Console, which I'll be showing you in a minute.

There are a lot of different blacklist messages and they do change over time depending on the authority and the browser and such, that you're using. Here's just a list of the most popular ones that we see. Like I said, a lot of them refer to dangerous malware on the site. Some are for deceptive warnings, some have been reported as unsafe and that there's also those ones for unwanted software, potentially unwanted programs as well.

As I mentioned before, there's other blacklisting authorities out there. In fact, our teams are going to find over 100 that we can remove from. Most of these are antivirus companies and search engines, as well as, browsers, again, wanting to protect their customers, their users. We actually detect the top 10 blacklists so if you use SiteCheck or if you use our monitoring services, we have the top 10 there. The little screenshot you're seeing on the bottom is actually from our quarterly hacked trend report. This is something we've been putting out over the last year and this screenshot is from our most recent one that shows the percentage of sites that were blacklisted by particular these top three here.

This is, again, out of the sites that were actually blacklisted, which is what 15% of the sites that we cleaned up. The numbers here will never be 100% because, honestly, if you can get blacklisted by one of them, chances are the rest of them will follow because, again, they do share information, API's and that kind of thing. If you've been blacklisted by Google, chances are, you're also blacklisted by a couple others as well. It's [less 00:15:39] important to check and see if you're just seeing the warning page from Google, there may be other systems as well that have flagged your site that you want to get off those lists, too.

Now that we know a little bit about how blacklisting works, and how the blacklisting authorities, why they do it and what kind of warnings you're going to see. Let's talk about why your site's blacklisted. The first place that you want to go is the Google Transparency Report. Now, if you're one of the people who click the details link, you will be taken to that right away for your site. You can also just go to Google.com/transparencyreport/safebrowsing, and from there, click on site status, and put in your website URL. You guys can do this at any time and from there, click the magnifying glass icon, and review the site safety details and testing details.

This is what the page looks like so it will let you know if it's dangerous, partially dangerous, or not dangerous. Then, there'll be the site safety details and testing details at the bottom there. What those are is some more clues to help you along the path of cleaning up your site. They could reference dangerous URL's and intermediary domains that are being used or injected on your site, so things that you might want to look for in your source code or searching through your files.

It will let you know if there's any specific redirect behavior and whether people are being sent to your site or whether being sent to another site from your site, any hosted malware, or unwanted apps and that kind of thing. The testing details is a little bit of information about the timeframe of the hack. Now, this is going to be, first of all, the scan date, which is the most recent time that Google scanned your site and found malware, and the discovery date, which is the first time that it found malware. It doesn't necessarily correspond to when your site was hacked because often sites can be hacked for a while before Google detects it, but it does give you some kind of timeframe about how long it's been if you're not checking your site all the time and this is not a new issue.

You can also scan your site with external scanners, so we have a free one, Sucuri SiteCheck, which you can use at SiteCheck.sucuri.net. Enter your website URL and scan with it. Then, if we detect any payloads or malware locations, they'll show there below and you can also check the blacklist status pad at the top and find out if any of those 10 blacklist authorities have you listed at a potentially dangerous site. Then, that way you'll know which ones you need to get cleaned up.

Just a quick note about external scanners versus server side scanners. A remote scanner actually just browses your site as if it's a visitor, which is great because it can spoof different user agents, such as like mobile devices, people coming from different locations, because sometimes malware's conditional and only shows if you're coming from a search engine, or it can only show if you're coming from a mobile device. Just checking your site yourself from a desktop browser, might not actually work. The problem with remote scanners it doesn't have server access and some issues don't present themselves in a browser, so mostly phishing, backdoors, script, that kind of stuff you're going to need a server side scanner and you're going to need to do some manual investigation in order to find out where that stuff is coming from, but they can be super helpful still remote scanners, in getting you some information. There's a couple more here that I listed on the left side and there's tons of other ones, depending on your content management systems, that you can look into.

In addition to the Google transparency report, sign up for your free Webmaster Tools. If you're not verified in Google Webmaster Tools, Bing Webmaster Tools, Yandex, Norton Safe Web, make sure you sign up for those. They're all free to use and, not only do they provide you with security alerts and information about your site, a lot of them, especially those top three, can give you some information about how your site appears in search and any issues there with crawling your site and stuff like that. Very important stuff. Definitely highly recommend it and you're going to need the first one, Google Webmasters, in order to even submit a review request.

In order to sign up for Google Search Console, all you have to do is go to Google.com/Webmasters, click search console and then add and verify your site. This is super easy to do if you already have Google Analytic because you can just sign in with the same Google account and then verify your site that way. There's also a couple other methods, like uploading an HTML file for the root of your site. From there, you want to check the messages and the security issues sections for any details, any messages about your site and there might be some more information about malware locations or files that were flagged by Google, folders or subdomains that might be where you need to focus your attention.

Another thing you can do that's really effective, is to check recently modified files on your server so you can do this using SFTP or an SSH terminal. If it's an SSH, we have a handy little command there that will just list any files modified in the last 15 days. If you need to look longer than 15 days, you can change that last number at the end from a 15 to 30 if you want 30 days. If you're using SFTP, like in an FTP client, you can just review the last modified date, which is a column in the FTP client there and look at all files on your server. Just note anything that has been recently modified, but that it's suspicious or that you're not familiar with. Talk to your web team, and then note those because you're going to need to look into those files later and either remove the injections or replace them, in order to remove the hack.

There's another really good one, too. I'll let you guys know where you can find all these instructions later as well to compare core files. If you are comfortable in a terminal window, you can just log in to your server and making your directory, in this case we called it clean. Go into that directory and then from there, find the official CMS version, usually on GitHub, for whatever you're using. If you're using a specific version of WordPress or Joomla, you want to make sure that you're comparing your server files with the same version of a fresh copy so basically this command here will let you download it. Anything in green here, you're going to want to change. You're going to want to extract that compressed file of the official server files and then that last command, number five there, is a diff [recursive 00:21:20] to compare your clean file that you just downloaded with your public HTML or [WW var 00:21:25], wherever you have your core CMS files located.

The really quick and dirty way is to just get huge lists of all the differences between the core files and yours and for certain sites, you want to be aware that if you download an unpatched version of Magento and it's noticing the differences because your site is patched, that kind of stuff, but it will give you some indication of what the differences are, and there's other ways to do this as well. You can get tools if you're doing it via SFTP, but this is a nice, fast way to do it.

Once you have some information on the domains that are being used for redirects or the locations of malware or any recently modified files you want to go through and actually fix your site, depending on how severe the hack is, this could be a really simple process, like replacing a few files, or it could be you need to completely rebuild your site. One thing I want to recommend to everybody is to check out our new guide at Sucuri.net/guides. We have two already for ... One for WordPress and one for Joomla, specifically, how to clean those sites. We also have one that corresponds with this webinar so how to remove the Google blacklist and there's some instructions there as well, specific to any platform. I definitely recommend that you go through there because the instructions, especially for cleaning your database, for removing backdoors, and cleaning files up, those are going to be a lot more thorough in the guide, but I'm going to give you a little overview of what you'll find in the guides here.

Number one, back up first. Even though your site is hacked, you want to make sure that you have copies of everything the way it is, just in case you need to restore it and then get a professional to clean it up. Also, if you have an e-commerce site, if you take payments on your site, if there's a potential that somebody was infected and had their credit card stolen or if you had a credit card swiper on your site and that caused somebody's identity to be stolen, there could be legal implications so you might actually have evidence here on your server. That's why you want to back up your server files, your database, any customized files, especially your database configuration file, any files that you've modified, and then log files, of course, to go back if you need to look at what happened and do some forensic analysis.

Again, if anything in this next section is uncomfortable, I highly recommend you get a professional. We do have a malware removal service, which comes with protection and detection for the whole year. Our team is really fast and making the cleanups happen and requesting your reviews with Google.

First thing you want to do before you can request a review, is you need to completely remove the hacked website content. Google isn't going to allow you to submit multiple reviews if you're continually just submitting a hacked website for review. You want to make sure that it's totally clean first so number one, don't overwrite in database configuration files or custom files. At least make sure you have them backed up. Restore using fresh copies of your CMS files and extensions using the exact same version. This is a really handy way to do it and, again, instead of just overwriting files or overwriting a folder, you want to actually delete it because if there are any added files, simply overwriting them isn't going to take care of them.

You want to be careful what you overwrite. For example, in WordPress, you want to be careful with WP content folder. You have some uploads there, you have plugins and stuff like that. You maybe want to rebuild those plugins as well. The best way to do it is to delete first and rebuild if you can do that, but take care that you look for your particular platform, what things you might not want to overwrite, or if you can isolate those specific parts that you need to fix. Do that.

You can also restore from a backup, but you want to make sure that that backup is clean, too. We see, unfortunately, a lot of people storing their backups on the same server as their site in a [dot 00:24:56] old folder or something like that and it's a really bad practice because how often do you patch your backups? The backups are publicly accessible, a hacker can find them, and that might actually be how your site got hacked in the first place is through those old backups on your server. Find a secure location for your backup and we'll talk about that a little more later. If you do restore from the backup, keep in mind that that backup is still vulnerable and you need to make sure that it's secure so you don't get reinfected.

You also want to remove the hacked content from your database so you can log in with PHP Admin or download a tool, like Adminer, and put that on your file system so you can get into your database and search for any spam. You also want to search everything for backdoors as well. Again, I would want to refer you to the guide so that you can find ... It's a list of common PHP functions that are used maliciously. Those functions also are used legitimately by some plugins, so you just want to make sure that you consult a professional if you need additional help, but those guides are made so that you can do it yourself if you're comfortable.

Also, in addition to backing up, you want to test everything so if you make a change trying to clean something up, test as often as possible when making changes so you know what actually broke your site, if that does happen. That is a danger any time that you do clean up your site, which is why, again, we recommend that you get professionals to help with this step. Just to make sure that it's 100% and that your site doesn't go down and you have more headaches than you went in with.

Once your site is verified clean, before you request a review, I actually recommend that you make sure that it's always secure so that you don't get reinfected right away. Update all of your website software, so obviously, CMS version is super important. Plugins and themes as well, but also server software, such as cPanel and Apache. You may want to chat with your host about whether they have newer versions of that for you that are more secure.

As well, confirm all user accounts. We've seen more and more that, in addition to backdoors injected into files on your site, we also see that they're creating malicious admin users so make sure that you verify all user accounts on your CMS, and not only that, but your FTP, SFTP, SSH, PHP admin panel, cPanel and your database configuration password. Update all of that stuff because it's been compromised now and it's possible that those could be used to get back into your site and reinfect it. You also want to make sure that all users update their passwords.

In addition, any users that are logging in to your backend, or using your FTP, you want to make sure that they scan their computer for viruses. Website malware has been known to come from computer malware so if somebody's using a text editor in the backend of WordPress, or using an FTP client, malware can jump from a system into your website so definitely want to make sure that that wasn't the point of entry either.

Once you're fairly certain that your site is completely clean, then you can go ahead and request that review with Google. In a previous slide, I mentioned how to sign up for Google Search Console, so now that you're validated, you can go in, go to the Security Issues tab, and review the issues that are listed there. Once you can confirm that all of those have been dealt with, you can click the box at the bottom that says, "I have fixed these issues," and click the button and request a review. There will be a little box that pops up here, a little text box where you can put in some information and I recommend putting in as much detail as possible about what was cleaned and what steps you took to make sure the infection is gone. Then, from there, it will send the review to Google.

There's also manual actions as well under Search Appearance, so you can go there and see if anything has been flagged by Google because of spam. These ones do take a bit longer to review, but it's the same process, you review the issues and then click the button and request your review. Let them know what was cleaned. Once you've checked both these sections and you've requested the review, there's just a waiting period. Most often, it takes a day or two for the Google blacklist, depending on how busy they are and what's going on in the space. Some of these can take up to two weeks, especially for manual actions where they need manual review. Those are usually, again, related to spam.

Google is also now limiting repeat offenders, so this just happened in the last year. Definitely don't try to trick Google. We've heard of some people who have actually deleted everything on their server and tried to submit an empty site for review in order to bypass the automatic algorithm that checks the site. That won't work and it will just anger them, so don't do that. Make sure your site's absolutely clean and for repeat offenders, they're actually ... This is for people who are actually mostly hosting really bad sites or getting reinfected quite a bit, they're going to limit you to one submission every 30 days, which is terrifying because that means your site is blacklisted for 30 days. That wouldn't be a good thing, so do make sure that you take care to remove all the malware and that you're 100% sure that it is cleaned up.

Note that when you have a plan with Sucuri, we do submit all the blacklist reviews on your behalf from our own account. We have our Google accounts, and we submit and verify tons of sites with Google and then remove it. They're familiar with us and we do see them lifted within about 10 hours when we submit blacklist reviews. Again, depending on their workload and that sort of thing.

Now that you know how to remove everything and how to submit a review, the real question everybody has, our little bonus slide here, is how to prevent this from happening in the first place. The first and best thing you can do is not only keep your website up to date, but harden your website using official best practices. Look at the security docs for your CMS, find out what the file folder permissions should be and make sure you make those changes. Set some custom htaccess files to limit PHP execution or limit uploads and that kind of thing and check the security configurations. Make sure you have some plugins and some tools that are doing some monitoring and alerting for you. Make sure to set those configurations as well. We recommend things like two factor authentication, firewalls, all that stuff is stuff you should be looking into for tools to secure your website and to make sure that you look at those configurations.

For example, with the Sucuri dashboard, it is just plug and play. You can just set it and forget it, but if you go in there and actually look at the security configurations. If you're a local website running a shop in your own town and you don't really need traffic from people in other countries, you can limit and make sure that people from other countries can't even access your website, which is huge because that's where the majority of hacks come from is a lot of countries outside of the US and that kind of thing.

You also want to make sure that you're using strong passwords so long, complex, unique passwords for every single account and you limit those permissions for your users. There's no reason for you to have a ton of admin users and if you're giving admin access to somebody, give it to them only as long as they need it. This is called the principle of least privileged and it's a really great way to make sure that your users aren't the weakest link.

Stay aware of security news. If you have a specific CMS, there's usually a lot of mailing lists and things up there that you can stay on top of any new extensions that have vulnerabilities in them or any security issues that you need to be aware of. We do have an email list at blog.sucuri.net and we post regularly on major security issues so that's definitely one place to start. Then, if you can, use a file integrity monitoring service. Like I've mentioned before, this basically takes long, good look at your website. Now that it's clean, we take a little picture of it and then any changes that are made, any new posts, any new users, any files that are upload or injected, you're going to see those in the log there and know usually where the hack occurred and you'll be able to fix it, and clean it up, and patch it before Google finds out.

One thing that is really helpful, too, if you can, because I know it can be hard for certain platforms to stay up to date, and be hard to know what's changing in the space if there's is website firewalls as well and we'll talk about those in a minute.

Shared server access is actually something that I had a question about from one of the people who registered for the webinar and who's hoping that I would address it because there's some confusion about why this can be a problem. There's actually no issue with having multiple website on the same server, the issue is when one FTP account can access all of them so what you can do is limit it so that every single website has its own FTP account. You can ask your host about how they isolate websites on your server. If you, yourself, have one FTP account that allows you to access multiple websites, you might want to think about tightening that up a little bit. Slightly less convenient if you can't edit them all [on 00:33:08] the same time, but if you take that extra step by logging in, then you won't have to deal with having multiple websites all hacked because they've crossed contaminated. It's really easy for one weak site to cause the rest of the sites to get hacked.

If you can, if you have the resources, we recommend that every website owner consider a virtual private server as well, which not only isolates your server account, it isolates your operating system for your server by creating little virtual operating system in a corner of the server so that's even more isolation, which is another great principle of website security.

Website firewalls, in addition to preventing hacks, like I mentioned with patching a website if you're on an old version of Joomla or an unpatched version of Magento, it would be really difficult to stay on top of that, especially when sometimes a patch will be released, and within seven hours, all the sites that use that particular item are hacked. Once a firewall surrounds your site and basically patches it for you, it blocks fresh attacks by limiting people from accessing your admin panel.

In our case, with the Sucuri firewall, we use IP whitelisting so only people on your network or any IP's that you've whitelisted are able to access your backend. You can also mitigate DDOS attacks that are trying to take down your site and for anybody who's interested in website traffic, which I'm assuming most of you are because you're interested in preventing blacklisting, performance optimization is huge so most website firewalls, including ours, has a content delivery network that allows you to deliver your website faster to places around the world.

You can learn more about our website firewall at Sucuri.net. We also give everybody a free HTTPS certificate, an SSL certificate with our website firewall plan, which is another ranking factor for SCO, in addition to website speed. Not only are website firewalls good for security, they're actually good for your traffic and for your users as well, to keep them protected using encrypted HTTPS and also, to speed up your site.

Questions & Answers

Question #1: Can you clarify the repeat offenders limit with blacklisting?

Answer: If Google knows you are a malicious site, and you go back to doing malicious things after the blacklist is lifted, they may limit the number of review requests to once every 30 days.

Question #2: Hello, when I type in Google site:mysite.com, I have many results that are the hack content and not only my actual content, how can I have them easily removed from Google?

Answer: You can use the URL Removal Tool in Google Search Console. Be careful though, this removes pages from the Google index! If there are too many spam URLs you can use a robots.txt directive – read Cesar’s article for more specific steps.

Question #3: My site was blacklisted and then it was cleaned up. However the domain is blocked on many servers. What can I do to fix that?

Answer: You can check if you are on other blacklists for free at Sucuri SiteCheck and VirusTotal. Keep in mind there is a waiting period after submitting a review with each individual organization

Question #4: Tell us more about the free SSL with Firewall- how much is Firewall service?

Answer: We offer free LetsEncrypt certificates or we can generate a Comodo SSL cert for you, depending on your plan. We can also work with existing SSL certs if you already have one. You can find out more at sucuri.net and by chatting with our team.

Question #5: What is the best way to deal with black listing on third pary sites such as sitecheck. sucuri, mxtoolbox.com, virustotal. I have been blacklisted by them before. It was very frustrating. My site was cleaned. All of the lists spent more time trying to sell me products, rather than remove the site from their lists.

Answer:Once you submit the review request it can take time for the warning to be lifted. This depends on the number of sites in queue for review and the specific blacklisting authority. As far as MXToolbox, they are an email blacklist service and you would have to speak with your email service provider and look into using a new dedicated IP.

Question #6: What is the best way to deal with black listing on third pary sites such as sitecheck. sucuri, mxtoolbox.com, virustotal. I have been blacklisted by them before. It was very frustrating. My site was cleaned. All of the lists spent more time trying to sell me products, rather than remove the site from their lists.

Answer:There is usually no issue unless they conflict by blocking or logging each other. Read our CEO’s article on choosing WordPress security plugins to understand how to approach them, it will give you a great overview of the ecosystem. As a rule you should reduce the number of plugins on your site, each new plugin introduces more risks and potential for vulnerabilities.

Question #7: Do you have a WordPress plugin?

Answer:Yes we have a free auditing and scanning plugin. It will alert you if SiteCheck detects any malware or blacklisting and offers post-hack logs and recommendations.

Question #8: The blacklist is on page level, not on site level right?

Answer:It depends on the hack. Google Search Console should show which particular files are affected (if it the URL ends in .php or .html), directories (if it ends in with a slash), or subdomains.

Question #9: You mentioned that https is offered when a Sucuri plan is purchased... is this the Green bar Https and how is it implemented?

Answer:Yes, when you have an SSL certificate your site uses the secure HTTPS protocol and shows the lock icon in the browser address bar. The implementation steps vary depending on the cert and our firewall team can help you with that.

Question #10: Is there a detailed report that identifies geo location of attacks shown within Website Firewall Blocked threats in order to determine Country black listing?

Answer:No, our firewall block page lets you know if you were blocked due to geo-location, but you would need to contact the website owner to ask them to unblock your country.

Question #11: How can I stop weird sites pointing back to mine that have malware on them? Does this affect my rankings/black list chances?

Answer:If you have low quality or spam sites linking to you, Google may penalize your site because it thinks you bought links. If dangerous sites are redirecting to yours (not linking) then it may indicate your site has been compromised and is hosting malware for the attacker.

You can use the URL Removal Tool in Google Search Console. Be careful though, this removes pages from the Google index! If there are too many spam URLs you can use a robots.txt directive – read Cesar’s article for more specific steps.

Question #12: If I pay for the Sucuri services do I need to do anything regarding blacklisting or does the service clean it up for me?

Answer: Yes, our complete security offerings include unlimited malware removal requests throughout your subscription, and we take care of any and all website blacklist removal requests for you.

Question #13:I’ve been using the Sucuri plugin for a couple of years now after being the subject of a hack and have been very happy with the service. I was unaware of the included ssl certificate so was wondering if you could give a little more detail about that.

Answer: The SSL certificate doesn’t come with the free plugin, but if you have a plan with us then I recommend chatting with our firewall team to get it implemented on your site.

Question #14: The blacklist is on page level, not on site level right?

Answer: Yes Google is the top blacklisting authority by far. Google does not blacklist by IP, but by domain. Google Search Console will give you a clue as to where it found the malware on your site.

Question #15: So is Google the most discriminating search engine for website? I.e. to the page level. My site was blacklisted at the IP Address level by another Service as was all the website sharing that IP addresss.

Answer: There is usually no issue unless they conflict by blocking or logging each other. Read our CEO’s article on choosing WordPress security plugins to understand how to approach them, it will give you a great overview of the ecosystem. As a rule you should reduce the number of plugins on your site, each new plugin introduces more risks and potential for vulnerabilities.

Question #16: Does Google blacklist the domain only or the IP at which the domain is hosted?

Answer:The domain only

Question #17: I would like to choose a forms plugin for my WordPress site but the one I was going to choose features in your regular security reports. So I started searching for alternative form creation plugins. What security considerations should I make when choosing a plugin for my site (apart from the obvious like number of downloads and recency of updates)? Thank you and keep up the awesome job!

Answer: Just because a plugin has a vulnerability at some point does not mean that the plugin is bad. All software is potentially vulnerable. How the plugin developer reacts to a security bug is what really counts. The best software is actively developed and maintained by people who care about answering support tickets and keeping users safe.

Question #18: Is there a difference between hacks that effect site FILES and hacks that effect the DATABASE (as well as site files) - [WordPress specifically]

Answer: They can be quite similar when it comes to the types of malicious code being injected, but in my opinion cleaning up a database is can be much more time consuming, especially for SEO spam infections.

Question #19: : We have a list of domain names that are newly registered and have nothing hosted on the website. The domains are pointing to the default name servers from the Registrar and still we find our domain names blacklisted by Google safe browsing. Why has this occurred? Is it that Google has a listed of blacklisted registrar or is it the pattern of bulk registrations or the name servers or anything apart from this? Thank you!

Answer: I don’t believe Google blacklists registrars. You can check Google Search Console to see if they have listed the reason why, but if you are on a shared server I would recommend checking to be sure your sites are indeed empty.

Question #20: My website does not appear to be blacklisted (no red page) but Google is sending all email from our domain’s email addresses to Gmail addresses Junk Mail. We believe this is because a previous site on the server we are on was spamming. We have NEVER done so. Our email list is opt-in only and we only send 2-3 emails per month all directed toward our nonprofit’s educational mission. Is there a separate list they keep for this that we would need to figure out how to get removed from?

Answer: You may be right. Email blacklists are very different from website blacklists. You can speak with your email service provider and look into using a dedicated IP for your email list.

Question #21: So, you may drop in Google SEO rank for duplicate content on multiple sites, but you won’t be black listed?

Answer: Duplicate content used to be penalized and I believe it’s still not good when it comes to ranking. You want original, highly valuable content to rank well. Duplicate content won’t get you blacklisted – unless of course it’s malicious content.

Question #22: A Customer recenty had Google adwords account suspended due to site hack but site never went offline. is there a different adwords removal process?

Answer: We have written about AdSense being abused due to issues with partner networks (showing ads on your site), but if your AdWords account (used to bid for keywords) has been suspended then you likely got an email with some reason why. You can Google to find out why.

Question #23: Where do I find in your control panel to remove countries from site?

Answer: If you are logged in and using the new dashboard – go you’re your firewall settings for the site in question and you’ll find it under Access Control > Geo Blocking.

Question #24: Have you seen Google incorrectly blacklist a site? I have couple sites incorrectly blacklisted because of using Amazon shopping ads. Once removed the Amazon ads Google lifted the blacklist.

Answer: Unfortunately, false positives can happen in any security scan.

Question #25: Does Sucuri back up our websites? And keep it.

Answer: Yes we offer a website backup service for existing clients only, for $5 a month.

Question #26: Does blocking Google from accessing the site via robots files after the site is flagged will remove the flag after some days as Google is not able to access it or it will be still there?

Answer: Don’t try to trick Google. You could get slapped as a repeat offender and be stuck with the blacklist for 30 days.

If you block Googlebot, your site won’t be crawled and indexed in search results.

Question #27: Do you recommend hosting companies that are thinking of these security issues? What are the top hosting companies for security?

Answer: : I’m not an authority on this by any means, but I personally use Siteground. Talk to your host about their security configurations, isolation of accounts, and the steps they might take if your site is hacked (including if they suspend your site).

Question #28: How is Sucuri helping for performance of a website?

Answer: Our Firewall offers caching and content delivery from our points of presence around the world. Our SOC built our own proprietary data centers with hand-picked hardware. Some, including WPBeginner and iThemes, report over 400% increase in performance with our firewall. It also lessens the load on your origin server.

Question #29: What about security on websites that really can’t be updated? What plugins for security as well? Joomla and Wordpress. For example if you are stuck with 2.5 Joomla what would you suggest using?

Answer: Our firewall includes virtual patching, effectively plugging the holes so visitors can’t exploit them. It’s one of my favorite features because it is also effective against zero-day vulnerabilities, which do not have a patch yet!

Question #30: Does your service work along with Cloud Flare?

Answer: You bet, we even have a support article that describes how to implement it properly with your DNS settings.

Question #31: Are there any instances when you might want to bypass a cloud based firewall rather than preventing bypass using HTACCESS on the origin server?

Answer: Yes, there are instances when you might want to bypass but that’s usually reserved for your development team. While we don’t advise it, some development teams work right from the production environment. In these instances they might be making changes real time, bypassing the Firewall might be the best option to avoid any potential blocks that might impede their work. That being said, there shouldn’t be a case like this for the everyday website users.

Question #32: If someone hacked the site, then I checked index page removed from server, so what is the solution to take backup of that index file from public_html?

Answer: You can certainly restore your index file from a backup as long as the backup has not been hacked too.

Question #33: What about SSL and the way Google is indexing secure sites?

Answer: Google has confirmed that SSL is a ranking signal. Brian Dean from Backlinko released an article back in September that confirmed the correlation between HTTPS sites and higher rankings as part of his experiments.

Question #34: How can i prevent sites like social-button.xyz and social-button.to to link to my site?

Answer: If you are seeing this in Google Analytics, you can watch my last webinar on how to defend your reports against spam. If the sites are linking to your site, see my advice above regarding the URL Removal Tool in Google Search Console.

Nuestro Próximo Webinar


Néstor Angulo - Analista de Seguridad | Martes, 5 de Diciembre de 2017 a las 9am PST

Sin importar el nivel de experiencia en administración de sitios web que tengas, lidiar con un sitio web hackeado puede ser desalentador y frustrante. El impacto a tu reputación, tráfico e incluso SEO puede ser devastador y sin dudas creará una mala experiencia para tus visitantes o resultará en una pérdida en ganancias.

Únete a uno de nuestros analistas de seguridad líderes, Néstor Angulo, que te enseñará cómo limpiar malware de un sitio web WordPress hackeado y te guiará en los procesos de endurecimiento para reducir los riesgos de reinfección.

Néstor Angulo

Néstor Angulo

Analista de Seguridad

Néstor es un Analista de Seguridad en Sucuri y es un entusiasta de la tecnología y la fotografía. Su amor por la tecnología comenzó cuando su mamá le enseñó cómo funcionaban las computadoras Amstrad y lo motivó a abrir una grabadora VHS. A Néstor le encanta aprender y poder compartir sus conocimientos.