Sucuri Guides

How to Remove McAfee SiteAdvisor Blacklist Warning

Last updated on May 23rd, 2019

Progress: 0%

SHARE

< Return to Guides
How to Remove McAfee SiteAdvisor Blacklist

How to Remove McAfee SiteAdvisor Blacklist Warning

McAfee SiteAdvisor is one of the top three blacklisting authorities currently issuing security warnings on websites. When a website is blacklisted, it loses 95% of its traffic, on average. Blacklisting can affect how visitors access your website and how it ranks in Search Engine Result Pages (SERPs). Websites that have been scanned and found to possess harmful behavior or content are flagged by a blacklist authority (like McAfee SiteAdvisor), which then removes the site from their index.

Review Warning Status

1.1Identify McAfee SiteAdvisor Website Security Warnings

Your website has been officially blacklisted when the big red splash page is shown. This is designed to stop visitors from accessing it.

If you are seeing security warnings when trying to reach your website, follow this guide to fix these issues and request a review for blacklist removal.

1.2Website Malware Warnings

Here is an example of a common malware warning that suggests your hacked website is serving malicious downloads (such as viruses, spyware, rootkits, and ransomware).

Mcafee SiteAdvisor Blacklist Warning

Here’s why johnhackedsite.com could be risky. We scanned this site and found that it’s not as secure as it should be. Please click with caution.

1.3Scan Your Website for Malware

The very first step is to make sure your site is clean.

You can use our free tool, Sucuri SiteCheck, to scan your site and find malicious payloads, malware locations, security issues, and blacklist status with major authorities.

To scan your website for hacks and blacklist warnings using Sucuri SiteCheck:

  • Visit the Sucuri SiteCheck website and enter your website URL.
  • Click Scan Website.
  • If the site is infected, note any payloads and file locations found by SiteCheck.
  • Click Blacklist Status to see if you’ve been blacklisted by other authorities besides McAfee SiteAdvisor.

If you have multiple websites on the same server, we recommend scanning all of them. Cross-site contamination is one of the leading causes of reinfections. We encourage every website owner to isolate their hosting and web accounts.

If SiteCheck is able to find a payload, this can help narrow your search. The following section of this guide will help you manually review your site to look for suspicious elements. You can also use other tools such as UnmaskParasites.

Fix Blacklist Symptoms

2.1Remove File Infections

To perform complete malware removal, you should be able to edit files on your server. If you are not comfortable with this, enlist professionals to clean your site.

File Replacement: For CMSs such as WordPress or Joomla, you can safely rebuild the site using new copies of your core files and extensions directly from the official repositories. Custom files can be replaced with a recent backup—as long as it's not infected.

Malicious Domains and Payloads: If SiteCheck or the Diagnostic Page indicate any malicious domains or payloads, then you can start looking for those files on your server. The discovery date can also narrow your search down to files modified around that time frame.

To manually remove a malware infection from your website files:

  • Log into your server via SFTP or SSH.
  • Create a backup of the site before making changes.
  • Search your files for any reference to malicious domains or payloads noted.
  • Identify unfamiliar or recently changed files.
  • Restore suspicious files with copies from the official repository or a clean backup.
  • Replicate any customizations made to your files.
  • Test to verify the site is still operational after changes.

Caution: Manually removing "malicious" code from your website files can be extremely hazardous. Never perform any actions without a backup. If you're unsure, please seek assistance from a professional.

Hackers change malicious sites fairly often to avoid detection. As a result, Google's diagnostic page may mention malicious or intermediary domains that can no longer be found on your site since they have already been replaced with new domains.

If you can't find the "bad" content, try searching the web for the domain names listed on the diagnostic page. Chances are, someone else has already figured out how those domain names are involved in website exploits.

Caution: Do not overwrite your CMS configuration files. On WordPress, this includes wp-config.php file or wp-content. On Joomla, this includes the configuration.php file and customizations.

2.2Clean Hacked Database Tables

To remove a malware infection from your website database, use your database admin panel to connect to the database. In cPanel, most hosting companies offer PHPMyAdmin. You can also use tools like Search-Replace-DB or Adminer.

To manually remove a malware infection from your database tables:

  • Log into your database admin panel.
  • Make a backup of the database before making changes.
  • Search for suspicious content (i.e., spammy keywords, links).
  • Open the table that contains suspicious content.
  • Manually remove any suspicious content.
  • Test to verify the site is still operational after changes.
  • Remove any database access tools you may have uploaded.

You can also manually search for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc.

Caution: These functions are also used by plugins for legitimate reasons. Be sure to test changes or seek help, so you do not accidentally break your site.

2.3Prevent Reinfection

Hackers always leave a way to reenter your site. More often than not, we find multiple backdoors, malicious admin users, and overlooked vulnerabilities.

User Accounts: Don't overlook user accounts! Stolen passwords are a prime way hackers get back into your site.

To clean up your user accounts:

  • Confirm all website user accounts are valid: CMS users; FTP/SFTP/SSH users; database administration panels (PHPMyAdmin, etc.); cPanel accounts; hosting company logins.
  • Change all passwords for all users.
  • Enable two-factor-authentication (2FA) if it is available.

Hackers change malicious sites fairly often to avoid detection. As a result, Google's diagnostic page may mention malicious or intermediary domains that can no longer be found on your site since they have already been replaced with new domains.

Caution: These functions can also be used legitimately by plugins, so be sure to test any changes because you could break your site by removing benign functions. The majority of malicious code we see uses some form of encoding to prevent detection. Aside from premium components that use encoding to protect their authentication mechanism, it's very rare to see encoding in official CMS files.

Often backdoors are embedded in files similarly named to CMS core files but located in the wrong directory. Attackers can also inject backdoors into legitimate files.

Backdoors commonly include the following PHP functions:

  • base64
  • str_rot13
  • gzuncompress
  • eval
  • exec
  • create_function
  • system
  • assert
  • stripslashes
  • preg_replace (with/e/)
  • move_uploaded_file

It is critical that all backdoors are closed in order to successfully clean a website hack, otherwise your site will be reinfected quickly.

Secure Computing: It is possible for infections to jump from a computer to your website by using CMS and file transfer applications. All computers with access to your website should be secure.

Have all users scan their computers with an antivirus program.

Here are some antivirus programs we recommend:

Most browser blacklists use the Google blacklist API. For more information visit the Google help pages.

Final Steps

3.1Submit Website for Review

This is perhaps the most challenging part we found. Unlike Google and Bing or even Norton, there is no webmaster tools you can log into—at least none that we can find. However, here is the McAfee SiteAdvisor link you need to access.

To request a review of your site on McAfee to remove blacklist:

  • Visit the ticketing service for McAfee SiteAdvisor.
  • Choose McAfee SiteAdvisor/WebControl (Enterprise) from the list.
  • Type in your URL and click Check URL.
  • Review the Reputation and Categorization for your site.
  • Click Submit URL for Review.
Mcafee Customer URL Ticketing System

Add a website to the Mcafee Customer URL Ticketing System.

3.2Protect your Brand

Like most blacklist authorities, it takes three to five business days on average for McAfee SiteAdvisor to remove a website from their blacklist. It can also take longer, depending on the complexity of the hack and length of the ticket queue.

You can track the status of the McAfee SiteAdvisor blacklist review by clicking on “Track URL Ticket Status”.

Remove Spam URLs from Google: If spam pages were removed from your site, they may have been indexed by Google already. The spam pages can create 404 (Not Found) errors when they are removed from your site. You can use the URL Removal Tool to notify Google that these spam pages should be removed from their index.

To remove spam URLs causing 404 errors:

  • Navigate to the Google Index tab in Search Console.
  • Click the Remove URLs section.
  • Click the Temporarily Hide button.
  • Enter the URLs of spam pages that have been removed.
  • Click Continue.

Caution: This tool removes pages from Google search. This option helps after you have removed spam pages so that Google knows they are not actually part of your site.

Website Protection: You should also consider taking more steps to harden and protect your site. This includes applying updates, maintaining a good website backup strategy, managing user privileges, and implementing website security controls.

The number of vulnerabilities exploited by attackers grows every day. Trying to keep up is challenging for administrators. Website firewalls were invented to surround your website with a professional defense system.

Benefits of using a Web Application Firewall (WAF)

  • A website firewall prevents a future hack by detecting and stopping known hacking methods and behaviors. It also keeps your site protected against hacks in the first place.
  • A website firewall updates your website virtually. A website firewall will patch your website holes in your website software even if you haven’t applied security updates. Hackers quickly exploit vulnerabilities in plugins and themes, and unknown ones are always emerging (called zero-days).
  • A website firewall stops unwarranted access and brute-force attacks to guess your password.
  • A website firewall prevents DDoS (Distributed Denial of Service) attacks attempt to overload your server or application resources. A website firewall makes sure your site is available if you are being attacked with a high volume of fake visits.
  • A website firewall optimizes website performance. Most WAFs will offer caching for faster global page speed. This keeps your visitors happy and is proven to lower bounce rates while improving website engagement, conversions, and search engine rankings.

Additional Resources

Guide

Guide - what is a Google blacklist warning

Learn what is a Google blacklist warning.

Read Now

Webinar

Webinar - how to remove a Google blacklist warning

Watch this webinar to see how to remove a Google blacklist warning.

Watch Now

Guide

Guide -  remove a Google blacklist warning

Learn how to remove a Google blacklist warning.

Read Now

Infographic

Infographic - Remove a Google blacklist warning

Follow the steps to remove a Google blacklist warning.

See Now