HOW TO REMOVE GOOGLE BLACKLIST WARNING

Check, fix, and recover your blacklisted site.

Google blacklists 10,000+ websites every day. Are you one of them? For most website owners, the security warnings, hack indicators, and diagnostic pages can be daunting. It's difficult to focus on fixing your hacked website when all of your visitors are being blocked from accessing your site. We compiled this guide to help webmasters remove website hacks and Google warnings so that you can restore your website and reclaim visitors, revenue, and SEO rankings.

Gran Canaria • Spain • Home of Sucuri's
Guilherme - Firewall Analyst

Step 1

REVIEW WARNING STATUS

1.1 Identify Website Security Warnings

Your website is blacklisted because Google scanned your site and found harmful behavior. Google needs to protect its users from dangerous websites that show up in their search results. In fact, websites that repeatedly get blacklisted for malicious behavior are limited to only one review every 30 days. That big red splash page (and warnings next to your site in Google's search results) are designed to stop visitors from entering your site. It works, too. Websites lose about 95% of their traffic when blacklisted by Google.

If you are seeing security warnings when trying to reach your website:

  1. Review the images below and common Google blacklist warnings.

  2. Identify the type of warning you are seeing on your site.

  3. Follow this guide to fix security issues and request a review.

The specific warning message on your site can help you to understand what Google is telling you about the type of security issues they found on your site. This information will be useful in the following sections of this guide.

Common Website Blacklist Warning Messages

  • The website ahead contains malware
  • Danger malware ahead
  • The site ahead contains harmful programs
  • The site ahead contains malware
  • Reported attack page
  • Suspected malware site
  • This website has been reported as unsafe
  • Deceptive site ahead
  • Suspected phishing site
  • Website request forgery
  • This site may be hacked
  • This site may harm your computer
  • Unwanted software

Note

The specific warning will vary based on your browser or antivirus. If you recognize any of the images below then your website is blacklisted and you can use the Diagnostic Info section to find out more.

Website Malware Warnings

Here are a few examples of common malware warnings that suggest your hacked website is serving malicious downloads such as viruses, spyware, rootkits, and ransomware. Most browser use Google's blacklist API, but Microsoft (IE/Edge) have their own. The following images are examples of this kind of blacklist warning from popular browsers.

The site ahead contains malware:

Google Chrome blacklist warning says The site ahead contains malware

Chrome uses "The site ahead contains malware" warning

Click to View

Reported attack page:

Firefox blacklist warning says Reported Attack Page

Firefox shows "Report Attack Page" on the dangerous site

Click to View

Suspected Malware Site

Safari blacklist warning says Suspected Malware Site

Safari warns when they detect a "Suspected Malware Site"

Click to View

This website has been reported as unsafe:

IE blacklist warning says This website has been reported as unsafe

IE / Edge alert when "website has been reported as unsafe"

Click to View
Website Phishing Warnings

There are a number of phishing warnings, meaning your visitors are being tricked into revealing personal information such as passwords and credit card data. These Google warnings can also mean your site contains malicious advertisements, or malvertising. The new unwanted software warning may indicate malicious ads or scams.

Deceptive Site Ahead

Google Chrome phishing warning says Deceptive Site Ahead

Chrome warns "Deceptive site ahead"

Click to View

Deceptive Site!

Firefox phishing warning says Deceptive Site

Firefox shows "Deceptive Site!"

Click to View

Suspected Phishing Site

Safari phishing warning says Suspected Phishing Site

Safari alert "Suspected Phishing Site"

Click to View
Google Search Warnings

When your site shows up in Google, warnings in search engine results pages (SERPs) show if spam or redirects are detected on your site. These can also be triggered if your hacked site is used to infect visitors with malicious software through drive-by-downloads. If your site is not showing the red warning page yet, but these warnings appear in your search results, it can indicate malicious scripts and iframes are being loaded from third-party sites.

This site may be hacked:

Google search shows this site may be hacked

Google warns "this site may be hacked" if your pages appear to have SEO spam or hacks.

Click to View

This site may harm your computer:

Google search shows this site may harm your computer

Google warns "this site may harm your computer" if the site seems to intentionally download malware

Click to View

Note

Most browser blacklists use the Google blacklist API. For more information visit the Google help pages.

1.2 Review Diagnostic Pages

Every one of those red warning pages will link to another page that describes why the website is being blacklisted by Google. The main button you see on the page is for visitors, and often reads something like, Get me out of here or Back to safety - but there is always another link for the website owner to find out more.

To find your Google Diagnostic Page:

  1. Visit the Google Transparency Report website.

  2. Enter your website URL

  3. Review the Site Safety Details and Testing Details using the guide below

Site Safety Details

In the report, you may be presented with dangerous websites, which where malicious content is being detected on your site. Note these URLs as they will be helpful when you are ready to remove the malware from your site.

This indicates traces of malicious domains on your site. It may be a hidden iframe, external script, or unauthorized redirect. Note these domain names to scan for them in the following section.

This section also includes information about whether your site is serving malicious redirects or downloads hosted on your server.

Testing Details

Next, look for the scan date (how recently Google scanned your site) and the discovery date (when the suspicious content was originally detected).

These dates can help you later when reviewing files that were modified recently.

If you already attempted to clean up your site, but the scan date is more recent, Google believes your site is still infected.

1.3 Scan for Malware

You can use our free tool, Sucuri SiteCheck, to scan your site and find malicious payloads, malware locations, security issues, and blacklist status with major authorities.

To scan your website for hacks and blacklist warnings using Sucuri SiteCheck:

  1. Visit the Sucuri SiteCheck website and enter your website URL.

  2. Click Scan Website.

  3. If the site is infected, note any payloads and file locations found by SiteCheck.

  4. Click Blacklist Status to see if you are blacklisted by other authorities.

If SiteCheck is able to find a payload, this can help narrow your search. The following section of this guide will help you manually review your site to look for suspicious elements. You can also use other tools such as UnmaskParasites.

Note

If you have multiple websites on the same server we recommend scanning them all. Cross-site contamination is one of the leading causes of reinfections. We encourage every website owner to isolate their hosting and web accounts.

Step 2

FIX BLACKLIST SYMPTOMS

2.1 Remove File Infections

To perform complete malware removal, you should be able to edit files on your server. If you are not comfortable with this, get professionals to clean your site.

Caution

Manually removing "malicious" code from your website files can be extremely hazardous. Never perform any actions without a backup. If you're unsure, please seek assistance from a professional.

File Replacement

If you use a CMS such as WordPress or Joomla, you can safely rebuild the site using fresh copies of your core files and extensions directly from the official repositories. Custom files can be replaced with fresh a recent backup, as long as it's not infected.

Malicious Domains and Payloads

If SiteCheck or the Diagnostic Page indicated any malicious domains or payloads, then you can start looking for those files on your server. The discovery date can also narrow your search to files modified around that timeframe.

To manually remove a malware infection from your website files:

  1. Log into your server via SFTP or SSH.

  2. Create a backup of the site before making changes.

  3. Search your files for any reference to malicious domains or payloads you noted.

  4. Identify unfamiliar or recently changed files.

  5. Restore suspicious files with copies from the official repository or a clean backup.

  6. Replicate any customizations made to your files.

  7. Test to verify the site is still operational after changes.

Hackers change malicious sites fairly often to avoid detection. As a result, Google's diagnostic page may mention malicious or intermediary domains that can no longer be found on your site since they have already been replaced with new domains.

If you can't find the "bad" content, try searching the web for the domain names listed on the diagnostic page. The chances are that someone else has already figured out how those domain names are involved in website exploits.

Caution

Do not overwrite your CMS configuration files. On WordPress, this includes wp-config.php file or wp-content. On Joomla, this includes the configuration.php file and customizations.

2.2 Clean Hacked Database Tables

To remove a malware infection from your website database, use your database admin panel to connect to the database. In cPanel, most hosting companies offer PHPMyAdmin. You can also use tools like Search-Replace-DB or Adminer.

To manually remove a malware infection from your database tables:

  1. Log into your database admin panel.

  2. Make a backup of the database before making changes.

  3. Search for suspicious content (i.e., spammy keywords, links).

  4. Open the table that contains suspicious content.

  5. Manually remove any suspicious content.

  6. Test to verify the site is still operational after changes.

  7. Remove any database access tools you may have uploaded.

You can also manually search for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc. Note that these functions are also used by plugins for legitimate reasons, so be sure you test changes or get help so you do not accidentally break your site.

2.3 Prevent Reinfection

Hackers always leave a way to get back into your site. More often than not, we find multiple backdoors, malicious admin users, and overlooked vulnerabilities.

User Accounts

Don't overlook user accounts! Stolen passwords can allow hackers to get back into your site.

To clean up your user accounts:

  1. Confirm all website user accounts are valid:

    • CMS users
    • FTP/SFTP/SSH users
    • Database administration panels (PHPMyAdmin, etc.)
    • cPanel accounts
    • Hosting company logins
  2. Change all passwords for all users.

  3. Enable two-factor-authentication (2FA) if it is available.

Hackers change malicious sites fairly often to avoid detection. As a result, Google's diagnostic page may mention malicious or intermediary domains that can no longer be found on your site since they have already been replaced with new domains.

Backdoors

Often backdoors are embedded in files named similar to CMS core files but located in the wrong directory. Attackers can also inject backdoors into legitimate files.

Backdoors commonly include the following PHP functions:

  • base64
  • str_rot13
  • gzuncompress
  • eval
  • exec
  • create_function
  • system
  • assert
  • stripslashes
  • preg_replace (with /e/)
  • move_uploaded_file

It is critical that all backdoors are closed to successfully clean a website hack and, otherwise your site will be reinfected quickly.

Caution

These functions can also be used legitimately by plugins, so be sure to test any changes because you could break your site by removing benign functions.

The majority of malicious code we see uses some form of encoding to prevent detection. Aside from premium components that use encoding to protect their authentication mechanism, it's very rare to see encoding in official CMS files.

Patch Vulnerabilities

Software vulnerabilities account for a large percentage of hacked websites.

Take the time to update all of your software, including:

  • CMS files
  • Plugins
  • Plugins
  • Themes
  • Extensions
  • Server Software

If you have difficulty updating your site, we recommend looking into a website firewall that includes virtual patching. This can also prevent zero-day exploits against your site when no patch is available.

Note

You can also look for vulnerabilities in your code by following the Google guide: Identify the vulnerability.

Secure Computing

It is possible for infections to jump from a computer to your website by using CMS and file transfer applications. All computers used to access your website should be secure. Have all users scan their computers with an antivirus program.

Here are some antivirus programs we recommend:

Note

You should have only one antivirus actively protecting your system to avoid conflicts. If your user's computers are not clean, your site can get reinfected easily.

Step 3

GET GOOGLE REVIEW

3.1 Get Google Search Console

To remove the blacklist warning you need to let Google know that you have completely cleared the infection. To do this, you must have a Google Search Console account (formerly Webmaster Tools).

To verify ownership of your website in Google Search Console:

  1. Open Google Webmaster Central.

  2. Click Search Console and sign in with your Google account.

  3. Click Add a site.

  4. Type in your site's URL and click Continue.

  5. Verify your site using the Recommended method or Alternate methods options.

  6. Click Add a site.

  7. Click Verify.

  8. Check the Messages section to review any warnings.

Other Blacklists

Google Safebrowsing is not the only website blacklist out there, however many other authorities use Google's API to add malicious websites to their own blacklists. Once your website is on the Google blacklist, it's only a matter of time before other blacklists pick up your website and add it to their own lists.

Antivirus programs and other search engines also want to warn their users when a website is dangerous. Each has their own console and review process. In order to remove your site from their lists, you need to go through the steps to let them know your website is clean.

If you used SiteCheck to scan your site for malware in the first step, the results will indicate whether your site has been blacklisted by other authorities. The review process should be similar to Google Search Console. For example, the McAfee blacklist has a review submission form, and both Bing and Yandex have their own webmaster tools that you should sign up for.

Other popular blacklist authorities:

  • McAfee SiteAdvisor
  • Bing Blacklist
  • Yandex Blacklist
  • Norton SafeWeb
  • PhishTank
  • SpamHaus
  • BitDefender
  • ESET

3.2 Request Security Review

If you do not request a review, Google may think you haven't finished the site cleanup. By requesting a review, you are telling Google that you are ready for them to rescan your site. Google is now limiting repeat offenders to one review request every 30 days. Do not try to trick Google either, as it may not pass the review process. For example, if the site is empty, it won't pass a review. Be sure your site is clean before proceeding!

Note

At Sucuri, we submit blacklist review requests on your behalf. This helps ensure your site is absolutely ready for review. Some reviews however, such as web spam hacks as a result of manual actions, can take up to two weeks.

To request a security issue review from Google:

  1. Navigate to the Security Issues tab in Search Console.

  2. Review the issues to confirm all have been cleaned.

  3. Check the box to confirm I have fixed these issues.

  4. Click Request a Review.

  5. Fill in the information with as much detail as possible about what was cleaned.

To request a spam review from Google:

  1. Navigate to the Search Traffic tab in Search Console.

  2. Click the Manual Actions section.

  3. Review the issues to confirm all have been cleaned.

  4. Click Request a Review.

  5. Fill in the information with as much detail as possible about what was cleaned.

The process will be similar for other blacklists such as McAfee, Bing, Yandex, and Norton.

3.3 Wait and Protect Brand

Once you have submitted the blacklist removal request it can take a few days for Google to review your site.

Have Google Recrawl Your Site

If the title and description of your web pages were infected with spam, it can take time for your search results to change back. This is because Google only crawls your site every so often. Fortunately, in Search Console you can ask Google to refresh certain pages and the links on those pages.

To force Google to recrawl your site:

  1. Navigate to the Crawl tab in Search Console.

  2. Click the Fetch as Google section.

  3. Enter your homepage or leave the field blank.

  4. Click the Fetch button.

  5. Click the Submit to Index button below.

  6. Check the box to confirm I am not a robot.

  7. Choose the option to Crawl this URL and its direct links.

  8. Click Go.

This will have Google crawl your homepage and any links on that page. If you have other pages showing in Google search results with spam in the title and description, you can also crawl those pages separately.

Note

Google Search Console allows you to crawl 500 single URLs per month, and only 10 with direct links per month. These 10 are best used to crawl pages with many internal links, such as a public sitemap or your homepage.

Remove Spam URLs

If spam pages were removed from your site, they may have been indexed by Google already. The spam pages can create 404 (Not Found) errors when they are removed from your site. You can use the URL Removal Tool to tell Google these spam pages should be removed from their index.

To remove spam URLs causing 404 errors:

  1. Navigate to the Google Index tab in Search Console.

  2. Click the Remove URLs section.

  3. Click the Temporarily Hide button.

  4. Enter the URLs of spam pages that have been removed.

  5. Click Continue.

Caution

This tool removes pages from Google search. This option helps after you have removed spam pages so that Google knows they are not actually part of your site.

Website Protection

You should also consider taking more steps to harden and protect your site. This includes applying updates, maintaining a good website backup strategy, managing user privileges, and implementing website security controls.

The number of vulnerabilities exploited by attackers grows every day. Trying to keep up is challenging for administrators. Website Firewalls were invented to surround your website with a professional defense system.

Benefits to using a website firewall:

  1. Prevent a Future Hack

    By detecting and stopping known hacking methods and behaviors, a website firewall keeps your site protected against infection in the first place.

  2. Virtual Security Update

    Hackers quickly exploit vulnerabilities in plugins and themes, and unknown ones are always emerging (called zero-days). A good website firewall will patch your holes in your website software even if you haven't applied security updates.

  3. Block Brute Force Attack

    A website firewall should stop anyone from accessing your administrator pages if they aren't supposed to be there, making sure they can't use brute force automation to guess your password.

  4. Mitigate DDoS Attack

    Distributed Denial of Service attacks attempt to overload your server or application resources. By detecting and blocking all types of DDoS attacks, a website firewall makes sure your site is available if you are being attacked with a high volume of fake visits.

  5. Performance Optimization

    Most WAFs will offer caching for faster global page speed. This keeps your visitors happy and is proven to lower bounce rates while improving website engagement, conversions, and search engine rankings.