Check, fix, and recover your blacklisted site.
Google blacklists 10,000+ websites every day. Are you one of them? For most website owners, the security warnings, hack indicators, and diagnostic pages can be daunting. It’s difficult to focus on fixing your hacked website when all of your visitors are being blocked from accessing your site. We compiled this guide to help webmasters remove website hacks and Google warnings so that you can restore your website and reclaim visitors, revenue, and SEO rankings.Protect your Site
Your website is blacklisted because Google scanned your site and found harmful behavior. Google needs to protect its users from dangerous websites that show up in their search results. In fact, websites that repeatedly get blacklisted for malicious behavior are limited to only one review every 30 days. That big red splash page (and warnings next to your site in Google’s search results) are designed to stop visitors from entering your site. It works, too. Websites lose about 95% of their traffic when blacklisted by Google.
If you are seeing security warnings when trying to reach your website:
The specific warning message on your site can help you to understand what Google is telling you about the type of security issues they found on your site. This information will be useful in the following sections of this guide.
Blacklisted for Website Malware Warnings
Here are a few examples of common malware warnings that suggest your hacked website is serving malicious downloads such as viruses, spyware, rootkits, and ransomware. Most browsers use Google’s blacklist API, but Microsoft (IE/Edge) have their own. The following images are examples of this kind of blacklist warning from popular browsers.
The specific warning will vary based on your browser or antivirus. If you recognize any of the images below then your website is blacklisted and you can use the Diagnostic Info section to find out more.
Blacklisted for Website Phishing Warnings
There are a number of phishing warnings, meaning your visitors are being tricked into revealing personal information such as passwords and credit card data. These Google warnings can also mean your site contains malicious advertisements or malvertising. The new unwanted software warning may indicate malicious ads or scams.
Google Search Malware Warnings
When your site shows up in Google, warnings in search engine result pages(SERPs) show if spam or redirects are detected on your site. These can also be triggered if your hacked site is used to infect visitors with malicious software through drive-by-downloads. If your site is not showing the red warning page yet, but these warnings appear in your search results, it can indicate malicious scripts and iframes are being loaded from third-party sites.
Every one of those red warning pages will link to another page that describes why the website is being blacklisted by Google. The main button you see on the page is for visitors, and often reads something like, Get me out of here or Back to safety – but there is always another link for the website owner to find out more through Google Diagnostics.
To find your Google Diagnostic Page:
Site Safety Details
In the site safety details report, you may be presented with dangerous websites, which is where malicious content is being detected on your site. Take note of these URLs as they will be helpful when you are ready to remove the malware from your site.
This list of URLs indicates traces of malicious domains on your site. It may be a hidden iframe, external script, or unauthorized redirect. Note these domain names to scan for them in the following section.
This section of the report also includes information about whether your site is serving malicious redirects or downloads hosted on your server.
Next, look for the scan date (how recently Google scanned your site) and the discovery date (when the suspicious content was originally detected).
These dates can help you later when reviewing files that were modified recently.
If you already attempted to clean up your site, but the scan date is more recent, Google believes your site is still infected and will keep it blacklisted.
You can use our free tool, Sucuri SiteCheck, to scan your site and find malicious payloads, malware locations, security issues, and blacklist status with major authorities.
To scan your website for hacks and blacklist warnings using Sucuri SiteCheck:
If you have multiple websites on the same server we recommend scanning them all for malicious content. Cross-site contamination is one of the leading causes of reinfections. We encourage every website owner to isolate their hosting and web accounts.
If SiteCheck is able to find a payload, this can help narrow your search. The following section of this guide will help you manually review your site to look for suspicious elements in order to remove your blacklist. You can also use other tools such as UnmaskParasites.
To perform a complete malware removal, you should be able to edit files on your server. If you are not comfortable with this, get professionals to clean your site.
If you use a CMS such as WordPress or Joomla, you can safely rebuild the site using fresh copies of your core files and extensions directly from the official repositories. Custom files can be replaced with fresh a recent backup, as long as it’s not infected.
Malicious Domains and Payloads
If SiteCheck or the Google Diagnostic Page indicated any malicious domains or payloads, then you can start looking for those files on your server. The discovery date can also narrow your search to files modified around that timeframe.
To manually remove a malware infection from your website files:
Hackers change malicious sites fairly often to avoid detection. As a result, Google’s diagnostic page may mention malicious or intermediary domains that can no longer be found on your site since they have already been replaced with new domains.
If you can’t find the “bad” content, try searching the web for the domain names listed on the diagnostic page. The chances are that someone else has already figured out how those domain names are involved in website exploits.
Manually removing “malicious” code from your website files can be extremely hazardous. Never perform any actions without a backup. If you’re unsure, please seek assistance from a professional.
Do not overwrite your CMS configuration files. On WordPress, this includes wp-config.php file or wp-content. On Joomla, this includes the configuration.php file and customizations.
To remove a malware infection from your website database, use your database admin panel to connect to the database. In cPanel, most hosting companies offer PHPMyAdmin. You can also use tools like Search-Replace-DB or Adminer.
To manually remove a malware infection from your database tables:
You can also manually search for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc. Note that these functions are also used by plugins for legitimate reasons, so be sure you test changes or get help so you do not accidentally break your site.
Hackers always leave a way to get back into your site. More often than not, we find multiple backdoors, malicious admin users, and overlooked vulnerabilities that end up getting your site blacklisted again.
Review User Accounts
Don’t overlook user accounts! Stolen passwords can allow hackers to get back into your site.
To clean up your user accounts:
Often backdoors are embedded in files named similar to CMS core files but located in the wrong directory. Attackers can also inject backdoors into legitimate files.
Backdoors commonly include the following PHP functions:
It is critical that all backdoors are closed to successfully clean a website hack and, otherwise your site will be reinfected quickly and added to the blacklist.
It is possible for infections to jump from a computer to your website by using CMS and file transfer applications. All computers used to access your website should be secure. Have all users scan their computers with an antivirus program to discover any infections.
Here are some antivirus programs we recommend:
To remove the blacklist warning you need to let Google know that you have completely cleared the infection. To do this, you must have a Google Search Console account (formerly Webmaster Tools).
To verify ownership of your website in Google Search Console:
Other Website Blacklists
Google Safebrowsing is not the only website blacklist out there, however many other authorities use Google’s API to add malicious websites to their own blacklists. Once your website is on the Google blacklist, it’s only a matter of time before other blacklists pick up your website and add it to their own lists.
Antivirus programs and other search engines also want to warn their users when a website is dangerous. Each has their own console and review process. In order to remove your site from their blacklists, you need to go through the steps to let them know your website is clean.
If you used SiteCheck to scan your site for malware in the first step, the results will indicate whether your site has been blacklisted by other authorities. The review process should be similar to Google Search Console. For example, the McAfee blacklist has a review submission form, and both Bing and Yandex have their own webmaster tools that you should sign up for.
Other popular blacklist authorities:
If you do not request a review, Google may think you haven’t finished the site cleanup. By requesting a review, you are telling Google that you are ready for them to rescan your site. Google is now limiting repeat blacklist offenders to one review request every 30 days. Do not try to trick Google either, as it may not pass the review process. For example, if the site is empty, it won’t pass a review. Be sure your site is clean before proceeding!
To request a security issue review from Google:
To request a spam review from Google:
The process will be similar for other blacklists such as McAfee, Bing, Yandex, and Norton.
Once you have submitted the blacklist removal request it can take a few days for Google to review your site.
Have Google Recrawl Your Site
If the title and description of your web pages were infected with spam, it can take time for your search results to change back. This is because Google only crawls your site every so often. Fortunately, in Search Console, you can ask Google to refresh certain pages and the links on those pages.
To force Google to recrawl your site:
This will have Google crawl your homepage and any links on that page. If you have other pages showing in Google search results with spam in the title and description, you can also crawl those pages separately.
Google Search Console allows you to crawl 500 single URLs per month and only 10 with direct links per month. These 10 are best used to crawl pages with many internal links, such as a public sitemap or your homepage.
Remove Spam URLs
If spam pages were removed from your site, they may have been indexed by Google already. The spam pages can create 404 (Not Found) errors when they are removed from your site. You can use the URL Removal Tool to tell Google these spam pages should be removed from their index.
To remove spam URLs causing 404 errors:
This tool removes pages from Google search. This option helps after you have removed spam pages so that Google knows they are not actually part of your site.
Focus on Website Protection
You should also consider taking more steps to harden and protect your site to prevent future blacklisting. This includes applying updates, maintaining a good website backup strategy, managing user privileges, and implementing website security controls.
The number of vulnerabilities exploited by attackers grows every day. Trying to keep up is challenging for administrators. Website Firewalls were invented to surround your website with a professional defense system.
Benefits of using a website firewall:
Prevent a Future Hack
By detecting and stopping known hacking methods and behaviors, a website firewall keeps your site protected against infection in the first place.
Virtual Security Update
Hackers quickly exploit vulnerabilities in plugins and themes, and unknown ones are always emerging (called zero-days). A good website firewall will patch your holes in your website software even if you haven’t applied security updates.
Block Brute Force Attack
A website firewall should stop anyone from accessing your wp-admin or wp-login page if they aren’t supposed to be there, making sure they can’t use brute force automation to guess your password.
Mitigate DDoS Attack
Distributed Denial of Service attacks attempt to overload your server or application resources. By detecting and blocking all types of DDoS attacks, a website firewall makes sure your site is available if you are being attacked with a high volume of fake visits.
Most WAFs will offer caching for faster global page speed. This keeps your visitors happy and is proven to lower bounce rates while improving website engagement, conversions, and search engine rankings.