What is a Google Blacklist?

Websites get hacked and blacklisted, learn why.

Google is one of the top search engines in the world and is committed to providing it’s users a safe online experience. To achieve this, it’s invested resources to identifying and flagging any potentially malicious websites. To help users know when they’re visiting a potentially malicious website they “blacklist” it. This is meant to deter the user from moving forward, notify the website owner, and simultaneously impede the attackers intentions. Navigating the various blacklisting and warnings can be time consuming, and to help with this we’ve put together the following guide to assist.

Washington, DC • US • Home of Sucuri's
Kristen Community & Events Manager

Common Indicators of a Blacklisted Site

  • Desktop AV’s are blocking the site
  • Search engine results say: “Possibly Compromised”
  • Host notified and disabled the site
  • SEO spam links and redirects in SERPs
  • File modifications or core integrity issues
  • Big Red Screen when accessing the site

What is a

Google Blacklist?

Understanding Google Blacklist

In the context of websites, blacklisting refers to the process of search engines removing a website from their index. Webmasters pay close attention to this because when blacklisted, a site loses nearly 95% of its organic traffic, which can quickly impact sales and revenue.

Do you want to know your website's malware or blacklisting status? Our Sucuri SiteCheck scanner will check for blacklisting status and malware incursions. Click here to run a report, or if you run a WordPress site, leverage our free WordPress security plugin to automate your security scans.

Sites are blacklisted when authorities such as Google, Bing, Norton Safe Web, McAfee SiteAdvisor etc., find irregularities on a website that they deduce to be malware. Malware can come in many forms: trojan horses, phishing schemes, pharma hacks, email or information scraping. Most often, the website owner is not even aware that they have been hacked. However, it's in the search engine's best interest not to show infected results, as they don't want to lose users due to these results putting their computer in harm's way.

What does a Malware Blacklist look like?

Most of today’s popular browsers will present the user with their own unique variation of a site being blacklisted for malware. The above images represent some of the more popular browsers and the warnings you can come to expect when a site is blacklisted for distributing malware. The red splash page takes up the entire view and is designed to the protect and deter the user from proceeding.

The following are warning messages reserved for malware blacklists

  • The Website Ahead Contains Malware!
  • Danger: Malware Ahead!
  • The site ahead contains harmful programs
  • The site ahead contains malware
  • Reported Attack Page!
  • Suspected Malware Site
  • This website has been reported as unsafe

Not all messages above are from Google, and not all browsers using the Google blacklsit API. Each of the warnings however are designed to inform you that the website has been hacked and blacklisted because it is being used to distribute malware.

Google Chrome blacklist warning

Chrome

Click to View
Firefox blacklist warning

Firefox

Click to View
Safari blacklist warning

Safari

Click to View
IE blacklist warning

IE / Edge

Click to View

What does a Phishing Blacklist look like?

“Deceptive Site Ahead”

This message is used to tell users that Google believes that a bad actor has made changes to the site that can be used to deceive a site visitor into sharing information. This is often in the form of a spear phishing campaign, but can also include web pages that have otherwise been flagged as deceptive or advertisements.

This warning generates a big red screen when a site visitor attempts to open the site, but does not present any warnings or notifications in the the Google SERPs.

The following are warning messages reserved for phishing blacklists:

  • Deceptive site ahead
  • Suspected Phishing Site
  • Website Request Forgery
Google Chrome phishing warning

Chrome

Click to View
Firefox phishing warning

Firefox

Click to View
Safari phishing warning

Safari

Click to View

Understanding Google’s Security Warnings

“This site may be hacked” warning"

This message is used to tell the user that Google believes a bad actor has made changes to the site by adding new pages in the form of spam. Visiting the site might redirect you to a page showing various forms of spam links or spam pages.

Google’s official explanation is:

“You'll see the message "This site may be hacked" when we believe a hacker might have changed some of the existing pages on the site or added new spam pages. If you visit the site, you could be redirected to spam or malware.”

This warning does not generate a red screen, and shows exclusively in the Google Search Engine Results Pages (SERP). For more information on what to do if you see this warning visit the Google help pages.

Google seacrh hacked site

“This site may harm your computer” notification

This message is used to tell the user that Google believes bad actors have made changes to the site that distributes and installs malicious software on the visitors machine. Visiting the site may cause irreparable damage to your local machine, and can include a number of drive-by-download attacks including ransomware.

Google’s official explanation is:

“You'll see the message "This site may harm your computer" when we think the site you're about to visit might allow programs to install malicious software on your computer.”

Google is pretty accurate when it suspects a website of maliciously distribution malware to it’s users. The classification does generate a big red image when visiting the site across multiple browsers that use the Google blacklist API. For more information on what to do if you see this notification visit the Google help pages.

Google seacrh hacked site

Google Diagnostic Page

Navigating Google's Diagnostic Page

Working with Google Diagnostic Page

We would be remiss if we didn't mention the Google Diagnostic Page when talking about Google Blacklist and Security Warnings. It's a very small gem that all website owners should be aware of and utilize.

For some, this page might be very difficult to understand or interpret, so we've pulled over our content from one of our properties, Unmaskparasites, to compile and consolidate our thoughts and insights on the subject.

1.1 The What

You should determine what exactly is blacklisted by Google. On the Google Diagnostic Page of your website you will find the URL that is being detected. If the URL is a directory, every page below it must be checked for malware.

Here are a few examples:

  1. blog.example.com/pages/page1.html – only this page.

  2. blog.example.com/pages/ - everything below /pages.

  3. blog.example.com – the whole blog.

  4. example.com - the whole domain and its subdomains.

This information can help you narrow down your search to specific sections of your site.

1.2 The When

Next, look for when Google last visited your site (the scan date) and when the suspicious content was last found (the discovery date). You can find these dates in the “What happened when Google visited this site?” paragraph. You should match these dates with the date of the last attempt to clean up the site (the cleanup date).

If you want Google to pick up your latest changes, you should request a malware review via Google Webmaster Tools. This will have Google rescan your site within a few hours. If your site is blacklisted, the scan date and the discovery date are usually the same. In some cases, however, the site can be blacklisted with the scan date being more recent than the discovery date.

In some cases, the site can be blacklisted but the scan date is more recent than the discovery date. It is important to correctly interpret this situation.

Google's unofficial explanation is confusing.

"The review may have found "suspicious" content that was not "suspicious" enough to have added the site to the malware list - but it is "suspicious" enough to prevent it from being removed from the list."

What can trigger such a situation?

  1. You have cleaned up your site but didn't request a malware review. Without such a request, it may appear to Google as though you've removed the malicious code from some pages, but haven't yet finished the site cleanup. Therefore, they are waiting for you to ask them for a site review.

  2. You have removed all the infected pages (or all the site's web pages) and requested the review. Google may think you will restore the infected web pages after a successful review. Thus, instead of removing the web pages themselves, you should remove only the malicious content.

This information can help you narrow down your search to specific sections of your site.

1.3 The Why

Domains may help you identify and locate the source of the problem. This information can be found in the What happened when Google visited this site? section of the diagnostic page.

Check for sentences that read like the following:

"Has this site acted as an intermediary resulting in further distribution of malware? Over the past 90 days, example.com did not appear to function as an intermediary for the infection of any sites."

One way or another, there should be traces of these domains on compromised sites. It may be a hidden iframe, external script, or unauthorized redirect. Therefore, start with scanning your files for these domain names.

Intermediary domains should be your priority in the investigation. This is where malicious content from your site links to. Sometimes, when hackers point a compromised site directly to servers with malicious content (or when Google can't determine the final destination of the malicious chain), the diagnostic page won't mention intermediary domains, so it is important to look for the malicious domains.

What if you can't find references to the malicious?

Unfortunately, references to malicious sites are usually complicated and cannot be revealed by simple scans. It is worth noting that hackers change the domain names of their malicious sites fairly often so they can't be blocked. A compromised, legitimate websites is often updated daily to ensure it now links to these new malicious sites. As a result, Google's diagnostic page may mention malicious and intermediary domains that can no longer be found on your site since they have already been replaced with new domains.

If you can't find the “bad” content, try searching the web for the domain names listed on the diagnostic page. The chances are that someone else has already figured out how those domain names are involved in website exploits. If all else fails, get professionals to clean your site.

How to Prevent Google Blacklists

Stop Attacks and Prevent Hacks

Preventing Google Blacklists

The number of vulnerabilities exploited by attackers grows every day. Trying to keep up is challenging for administrators. Website Firewalls were invented to provide a perimeter defense system surrounding your website.

Benefits to using a website firewall:

  1. Prevent a Future Hack

    By detecting and stopping known hacking methods and behaviors, a website firewall keeps your site protected against infection in the first place.

  2. Virtual Security Update

    Hackers quickly exploit vulnerabilities in plugins and themes, and unknown ones are always emerging (called zero-days). A good website firewall will patch your holes in your website software even if you haven’t applied security updates.

  3. Block Brute Force Attack

    A website firewall should stop anyone from accessing your wp-admin or wp-login page if they aren't supposed to be there, making sure they can’t use brute force automation to guess your password.

  4. Mitigate DDoS Attack

    Distributed Denial of Service attacks attempt to overload your server or application resources. By detecting and blocking all types of DDoS attacks, a website firewall makes sure your site is available if you are being attacked with a high volume of fake visits.

  5. Performance Optimization

    Most WAFs will offer caching for faster global page speed. This keeps your visitors happy and is proven to lower bounce rates while improving website engagement, conversions, and search engine rankings.