Updated on Jun 15, 2023
Google is very proactive when it comes to protecting internet users. Every day the search engine scans millions of websites for viruses, spyware, and other malicious software that could endanger website visitors. If Google detects malware on your website, it will flag it as a risk and notify all potential visitors. The warning will be shared across all Google products, so do everything you can to clear your website of malware and take all necessary precautions to avoid it in the future.
It is understandable to be concerned if your site gets flagged for malware, especially if you are unfamiliar with the malware details and Google’s Blacklist. Because of the warnings users begin to see, most will not enter your website and may never try again. This will inevitably result in a significant decrease in web traffic, the demise of online profits, and a negative impact on search engine rankings. Your website could even get blocked for all Google Chrome users.
Every day, Google adds around 10,000 websites to its blacklist. Security warnings, diagnostic pages, and hack indicators can be difficult for most website owners to comprehend. Fortunately, you’re reading a guide that will inform and assist you in understanding everything you need to know to clear your site of malware and how to keep it safe and secure for as long as possible.
This post includes:
Malware is an abbreviation for malicious software, which is any software intentionally designed to harm servers, computers, or computer networks.
Malicious software comes in various forms, including scripts, executable applications, and executable files. Hackers who deploy such malware have a variety of goals. Here’s what they can do to your site for their own benefit:
Malware can infect a website after a successful brute force attack, Cross-Site Scripting (XSS) attack, or SQL injection attack. XSS attacks allow attackers to inject client-side scripts into web pages that other users view. Attackers may exploit cross-site scripting vulnerabilities to circumvent access controls like the same-origin policy.
SQL injection is a web security vulnerability that allows attackers to interfere with an application’s database queries. Attackers can view data that they are generally not able to retrieve. That may include data from other users or anything else the application can access. The attacker can often modify or delete this data, causing persistent changes (damage) to the application’s content or behavior.
Malware can also infect your website via a content management system, theme, or plugin vulnerability. There are many types of malware, including:
Google is the most popular and influential search engine in the world. As a result, its overarching goal is to provide all users with a secure online experience. Google constantly invests resources to identify and flag all potentially malicious websites and add them to their blacklist. By doing so, the search engine warns anyone who attempts to access an infected website. Google advises users to proceed cautiously and notify the site’s owner of the problem. The fewer users who visit an infected website, the less effective the malware will be.
When a search engine blocks a website, that website is removed from its index. Simply put, it no longer exists in the search engine’s list of websites to crawl. When a website is blocked, it loses nearly 95% of its organic traffic, which can be disastrous for sales and overall revenue.
These are a few things that can happen when visiting an infected or blacklisted website or things your host or computer will do to prevent the malware from causing any damage.
If you want to find out your website’s blacklisting status, you can use the Sucuri SiteCheck scanner. It will check for blacklisting status and visible malware incursions. If you are using WordPress, there is an excellent plugin that can help as well. You can install the free Sucuri WordPress security plugin to automate security scans.
Another WordPress plugin that can help you is Wordfence. It is the most popular WordPress security plugin and comes in both a free and a premium version. Fortunately, the free version should work well for most malware situations.
Once you have installed and activated Wordfence, go to Wordfence → Scan to run a malware scan.
Additionally, if you need help with WordPress, please visit our thorough WordPress tutorial.
Sites get blocked when authorities (Google, Bing, McAfee, SiteAdvisor, etc.) find irregularities they believe to be malware. Malicious software can come in many forms: phishing schemes, trojan horses, email, pharma hacks, or information scraping. In most cases, website owners are unaware they have been hacked.
It is in the search engine’s best interest not to display infected results, mainly because they don’t want their integrity damaged. There are various categories for blacklisting, depending on why the website is blocked. Some websites are blocked for having phishing links, others for having spam, or, more generally, for having malware.
These are some of the warning messages reserved for malware blacklists:
Not all of the above messages are from Google. Not all browsers use the Google SafeBrowsing API to determine whether or not a website is safe. The warnings are there to alert you the website has been blacklisted due to getting hacked or having malware. Proceed with caution if you continue to the website.
You can see that message when visiting a malicious website using Google Chrome. The message differs slightly when using different browsers, such as Mozilla Firefox or Microsoft Edge. Still, in general, it says the same.
Google must protect all users from potentially harmful websites that appear in their search results. A website repeatedly blocked for malicious behavior is subject to a single monthly review. The red splash page we showed earlier in the post and the warning next to your website in Google’s search results are intended to discourage visitors from entering your website. People are cautious and do not want harm done to their devices, so the warnings typically work.
When discussing Google’s blacklists and security warnings, we must also mention Google Safe Browsing. It’s a key page; you should know and utilize it as a website owner. The Google Safe Browsing page is a quick way to determine whether Google is blocking your site for malware or phishing content.
Additionally, Google Search Center will contain more specific information about your website security warnings.
You can and should determine the precise reason for Google blocking your website. Firstly, you must add your website to Google Search Console. If you still need to do that and don’t know how to do it, click here to go to the part of this article that describes the process.
Once you are done, click Security Issues on your website’s Google Search Console tool page. The URLs that were detected and identified as malware can be found here. If the URL is a directory (folder), each page in it must be malware-free.
Here are a few examples of URL blacklists:
Those examples can help you narrow your search to specific site sections.
The following task is to determine when Google last discovered the suspicious content (the discovery date). These dates are listed next to the URLs in the Detected Issues section.
If you want Google to be aware of your most recent changes, you must request a malware review through the Google Search Console tool. Because of this, Google will rescan your website within a few days. To do so, go to the Security Issues section and click the Request Review button to submit your site.
When your website appears in Google, search engine result pages (SERP) warnings indicate whether your site contains spam or redirects. They can also be activated when your compromised website is used to infect visitors with malicious software via drive-by downloads. Although your site may not yet display the red warning page, these warnings may appear in search results. That could mean malicious scripts are being loaded from third-party websites, such as malvertising. Malvertising, or malicious advertising, is the use of malicious advertisements to spread malware and compromise systems.
Most browser blacklists use the Google Safe Browsing API. Visit the Google help pages for more information.
You can scan your site for malicious payloads, malware locations, security issues, and blacklist status with major authorities using the free tool Sucuri SiteCheck. To check your website for hacks and blacklist warnings using Sucuri SiteCheck, do the following:
Note
If you have multiple websites on the same server, you should scan all of them for malicious content. Cross-site contamination is one of the leading causes of reinfections. For security reasons, it’s recommended that every website owner isolates their websites on separate hosting accounts.
There are two main places where malware can reside: a website’s files and its database. Below you will find some advice on how to handle both those cases.
Removing files is the easier of the two ways to eliminate malicious content. However, we must warn you that removing a file is not a surefire way of cleaning your website. Sometimes it will work, but other times the infection will be deeply rooted and may require more than the deletion of files. Our services come pre-equipped with malware scanners and cleaners, which can help with the process. Nonetheless, we always advise our customers to contact professionals regarding the security of their websites.
If you use a CMS such as WordPress or Joomla!, you can rebuild the site using fresh, uninfected copies of the core files and plugins directly from the official repositories (or by using Softaculous or the WP Toolkit in cPanel).
Additionally, custom files can be replaced with a recent backup as long as the files in the backup are not infected themselves. Fortunately, FastComet provides daily backups for all clients.
If Sucuri SiteCheck or Google Search Console detect malicious domains or payloads, you can begin searching for those files on your server. The discovery date can help you narrow down your search to files that were modified around that time.
To manually remove a malware infection from your website files (NOT database), follow these steps:
To avoid detection, hackers frequently change malicious sites. As a result, Google’s Security Issues page may mention malicious or intermediary domains that are no longer visible on your site because new domains have replaced them.
If you can’t find the malicious content, try looking for the domain names listed on the diagnostic page.
Manually removing malicious code from website files can be exceptionally hazardous. Do not perform any actions without a backup. If you are not entirely sure, you should seek assistance from a professional. Do not overwrite your CMS configuration files. On WordPress, this includes the wp-config.php or wp-settings.php files.
To remove a malware infection from your website database, use your database admin panel to connect to the database. In cPanel, most hosting companies (including FastComet) offer phpMyAdmin.
To manually remove a malware infection from your database tables:
Warning
Manually editing and removing content from a database can also harm your website’s functionality. We strongly suggest you contact a professional to do it for you.
Hackers almost always leave a way to re-enter your website: backdoors, such as malicious admin users, PHP web shells, and overlooked vulnerabilities. That can lead to your website getting blocked again.
Make sure that user accounts are not overlooked. Often stolen passwords are what allow hackers to re-enter your website. If you want to clean up your user accounts, follow these steps:
Warning
These functions are sometimes used by plugins. That’s why you need to test any changes. Most malicious code we see uses some form of encoding to prevent detection. Besides premium components that use encoding to protect their authentication mechanism, it’s rare to see encoding in official CMS files.
Backdoors are often embedded in files with similar names to CMS core files but located in the wrong directory. Attackers can also inject backdoors into legitimate files.
Backdoors commonly include the following PHP functions:
All backdoors must be removed to clean a website hack successfully. Otherwise, your website will get reinfected quickly and added to the blacklist.
Do not exclude the possibility that infections can jump from a computer to your site by using CMS or file transfer apps. You need to secure all computers used to access your website — have all users scan their personal devices with an antivirus program to find out if there are any infections.
Here are some antivirus programs we recommend:
Free
Paid:
Once you have fixed everything, it is time to unblock your website and return it to working order!
To remove the blacklist warning, you must let Google know you have completely cleared the infection. You must have a Google Search Console account to do this.
To verify ownership of your website in Google Search Console:
Google Safebrowsing is not the only website blacklist. As mentioned, many other authorities use Google’s API to add malicious websites to their blacklists.
Antivirus programs and other search engines also want to warn their users when a website is dangerous. Each has its own console and review process. To remove your site from their blacklists, you must follow some steps to let them know your website is clean.
Use SiteCheck to scan your website for malware in the first step. The results will indicate if some of the top authorities have blacklisted your site. The review process is similar to Google Search Console. For example, the McAfee blacklist has a review submission form, and both Yandex and Bing have webmaster tools for which you should sign up.
Other popular blacklist authorities:
If you don’t request a review, Google may decide you haven’t finished your site cleanup. When you order a review, you are telling the search engine that you are ready for them to rescan your site. Google limits repeat blacklist offenders to a single review request every 30 days. Remember that you should not try to trick Google — this may lead to not passing the review process. Ensure that your site is clean before you proceed with the review. To request a security issue review from Google, do the following:
For further guidance on how to use the Google Search Console, visit the official source.
The process will be similar for other blacklists like McAfee, Bing, Yandex, and Norton.
After you have submitted the blacklist removal request, it may take a few days for Google to review your website and have it reindexed.
If the title and description of your pages were infected with spam, it may take some time for your search results to clear up. The reason for that is Google doesn’t crawl websites every day.
Fortunately, in the Search Console, you can ask Google to refresh certain pages and the links on those pages.
To make Google recrawl your site:
That will ensure Google can view your website without errors and resubmit it for indexing if successful. If the search console encounters any errors, you must review them and ensure your website is accessible to the Google bot.
Upon success, you should receive this message: “URL was added to a priority crawl queue. Submitting a page multiple times will not change its queue position or priority.”
That will instruct Google to crawl your homepage and any links on it. If any other pages show in Google search results with spam in the title and description, you can also crawl those pages separately.
Note
Google Search Console allows you to crawl 500 single URLs, and only 10 with direct links, per month. These ten are best used to crawl pages with many internal links, such as a public sitemap or your homepage.
If spam pages were removed from your site, Google might have already indexed them. When removed from your site, the spam pages can create 404 (Not Found) errors. You can use the URL Removal Tool to tell Google these spam pages should be removed from their index.
To remove spam URLs causing 404 errors:
Warning
This tool removes pages from Google searches. This option helps after you remove spam pages so that Google knows they are not part of your site.
Consider taking additional steps to harden and protect your website to prevent future blacklisting. Those include applying updates, maintaining a good website backup strategy, managing user privileges, and implementing website security controls.
The number of exploited vulnerabilities grows daily. Trying to keep up with that can be a daunting task. Website Firewalls were invented to provide a perimeter defense system surrounding your website.
Benefits of using a website firewall:
With FastComet, you also get Imunify360 and other powerful extras.
Additionally, if you use WordPress, you should always use the latest version of WordPress.
If your website is ever blacklisted, then your traffic will drop dramatically. It can also cause irreparable damage to your reputation, as Google actively warns visitors to stay away from your website.
Fortunately, there are ways to monitor Google’s blacklist. All we have shared in this guide should help you remove your website from it as quickly as possible.
We hope you find this article useful. Discover more about FastCloud - the top-rated Hosting Solutions for personal and small business websites in four consecutive years by the HostAdvice Community!