A Detailed Guide on How to Remove Google Blacklist Warning

Google blacklists 10,000+ websites every day. For most website owners, the security warnings, hack indicators, and diagnostic pages can be daunting. It's difficult to focus on fixing your hacked website when all of your visitors are being blocked from accessing your site. We compiled this guide to help webmasters remove website hacks and Google warnings so that you can restore your website and reclaim visitors, revenue, and SEO rankings.

Also read:

10 Ways You Can Build Online Trust and Reputation

Guard Your Website Reputation: Stay Protected with SSL

6 Ways to Protect Your Website From Security Hacks

Step 1: Review Warning Status

1.1 Identify Website Security Warnings

Your website is blacklisted because Google scanned your site and found harmful behavior. Google needs to protect its users from dangerous websites that show up in their search results. In fact, websites that repeatedly get blacklisted for malicious behavior are limited to only one review every 30 days. That big red splash page (and warnings next to your site in Google's search results) are designed to stop visitors from entering your site. It works, too. Websites lose about 95% of their traffic when blacklisted by Google.

If you are seeing security warnings when trying to reach your website:

  1. Review the images below and common Google blacklist warnings.
  2. Identify the type of warning you are seeing on your site.
  3. Follow this guide to fix security issues and request a review.

The specific warning message on your site can help you to understand what Google is telling you about the type of security issues they found on your site. This information will be useful in the following sections of this guide.

Also read: 4 Things That Will Make Your Website Unhackable

Website Malware Warnings

There are common malware warnings that suggest your hacked website is serving malicious downloads such as viruses, spyware, rootkits, and ransomware. Most browsers use Google's blacklist API, but Microsoft (IE/Edge) have their own.

Website Phishing Warnings

There are a number of phishing warnings, meaning your visitors are being tricked into revealing personal information such as passwords and credit card data. These Google warnings can also mean your site contains malicious advertisements or malvertising. The new unwanted software warning may indicate malicious ads or scams.

Also read: 4 Things That Will Make Your Website Unhackable

Google Search Warnings

When your site shows up in Google, warnings in search engine result pages(SERPs) show if spam or redirects are detected on your site. These can also be triggered if your hacked site is used to infect visitors with malicious software through drive-by-downloads. If your site is not showing the red warning page yet, but these warnings appear in your search results, it can indicate malicious scripts and iframes are being loaded from third-party sites.

1.2 - Review Diagnostic Pages

Every one of those red warning pages will link to another page that describes why the website is being blacklisted by Google. The main button you see on the page is for visitors, and often reads something like, Get me out of here or Back to safety - but there is always another link for the website owner to find out more.

To find your Google Diagnostic Page:

  1. Visit the Google Transparency Report website.
  2. Enter your website URL
  3. Review the Site Safety Details and Testing Details using the guide below

Site Safety Details

In the report, you may be presented with dangerous websites, which where malicious content is being detected on your site. Note these URLs as they will be helpful when you are ready to remove the malware from your site.

This indicates traces of malicious domains on your site. It may be a hidden iframe, external script, or unauthorized redirect. Note these domain names to scan for them.

This section also includes information about whether your site is serving malicious redirects or downloads hosted on your server.

Testing Details

Next, look for the scan date (how recently Google scanned your site) and the discovery date (when the suspicious content was originally detected). These dates can help you later when reviewing files that were modified recently.

If you already attempted to clean up your site, but the scan date is more recent, Google believes your site is still infected.

1.3 - Scan for Malware

You can use any free tool available out there to scan your site and find malicious payloads, malware locations, security issues, and blacklist status with major authorities.

To scan your website for hacks and blacklist warnings, you can use any available resource like Sucuri SiteCheck or cwatch..:

  1. Visit the SiteCheck website and enter your website URL.
  2. Click Scan Website.
  3. If the site is infected, note any payloads and file locations found by SiteCheck.
  4. Click Blacklist Status to see if you are blacklisted by other authorities.

If SiteCheck is able to find a payload, this can help narrow your search. You can also manually review your site to look for suspicious elements. You can also use other tools such as UnmaskParasites.

Step 2: Fix Blacklist Symptoms

2.1 - Remove File Infections

To perform complete malware removal, you should be able to edit files on your server. If you are not comfortable with this, get professionals to clean your site or contact your web host for help.

File Replacement

If you use a CMS such as WordPress or Joomla, you can safely rebuild the site using fresh copies of your core files and extensions directly from the official repositories. Custom files can be replaced with fresh recent backup, as long as it's not infected.

Malicious Domains and Payloads

If SiteCheck or the Diagnostic Page indicated any malicious domains or payloads, then you can start looking for those files on your server. The discovery date can also narrow your search to files modified around that timeframe.

To manually remove a malware infection from your website files:

  1. Log into your server via SFTP or SSH.
  2. Create a backup of the site before making changes.
  3. Search your files for any reference to malicious domains or payloads you noted.
  4. Identify unfamiliar or recently changed files.
  5. Restore suspicious files with copies from the official repository or a clean backup.
  6. Replicate any customizations made to your files.
  7. Test to verify the site is still operational after changes.

Hackers change malicious sites fairly often to avoid detection. As a result, Google's diagnostic page may mention malicious or intermediary domains that can no longer be found on your site since they have already been replaced with new domains.

If you can't find the "bad" content, try searching the web for the domain names listed on the diagnostic page. The chances are that someone else has already figured out how those domain names are involved in website exploits.

2.2 - Clean Hacked Database Tables

To remove a malware infection from your website database, use your database admin panel to connect to the database. In cPanel, most hosting companies offer PHPMyAdmin. You can also use tools like Search-Replace-DB or Adminer.

To manually remove a malware infection from your database tables:

  1. Log into your database admin panel.
  2. Make a backup of the database before making changes.
  3. Search for suspicious content (i.e., spammy keywords, links).
  4. Open the table that contains suspicious content.
  5. Manually remove any suspicious content.
  6. Test to verify the site is still operational after changes.
  7. Remove any database access tools you may have uploaded.

You can also manually search for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc. Note that these functions are also used by plugins for legitimate reasons, so be sure you test changes or get help so you do not accidentally break your site.

2.3 - Prevent Reinfection

Hackers always leave a way to get back into your site. More often than not, we find multiple backdoors, malicious admin users, and overlooked vulnerabilities.

User Accounts

Don't overlook user accounts! Stolen passwords can allow hackers to get back into your site. To clean up your user accounts:

  1. Confirm all website user accounts are valid:
    • CMS users
    • FTP/SFTP/SSH users
    • Database administration panels (PHPMyAdmin, etc.)
    • cPanel accounts
    • Hosting company logins
  2. Change all passwords for all users.
  3. Enable two-factor-authentication (2FA) if it is available.

Hackers change malicious sites fairly often to avoid detection. As a result, Google's diagnostic page may mention malicious or intermediary domains that can no longer be found on your site since they have already been replaced with new domains.

Often backdoors are embedded in files named similar to CMS core files but located in the wrong directory. Attackers can also inject backdoors into legitimate files.

Backdoors commonly include the following PHP functions:

  • base64
  • str_rot13
  • gzuncompress
  • eval
  • exec
  • create_function
  • system
  • assert
  • stripslashes
  • preg_replace (with /e/)
  • move_uploaded_file

It is critical that all backdoors are closed to successfully clean a website hack and, otherwise your site will be reinfected quickly.

Secure Computing

It is possible for infections to jump from a computer to your website by using CMS and file transfer applications. All computers used to access your website should be secure. Have all users scan their computers with an antivirus program.

Here are some antivirus programs we recommend:

Step 3: Final Steps

3.1 - Get Google Search Console

To remove the blacklist warning you need to let Google know that you have completely cleared the infection. To do this, you must have a Google Search Console account (formerly Webmaster Tools).

To verify ownership of your website in Google Search Console:

  1. Open Google Webmaster Central.
  2. Click Search Console and sign in with your Google account.
  3. Click Add a site.
  4. Type in your site's URL and click Continue.
  5. Verify your site using the Recommended method or Alternate methods options.
  6. Click Add a site.
  7. Click Verify.
  8. Check the Messages section to review any warnings.

Other Blacklists

Google Safebrowsing is not the only website blacklist out there, however many other authorities use Google's API to add malicious websites to their own blacklists. Once your website is on the Google blacklist, it's only a matter of time before other blacklists pick up your website and add it to their own lists.

Antivirus programs and other search engines also want to warn their users when a website is dangerous. Each has their own console and review process. In order to remove your site from their lists, you need to go through the steps to let them know your website is clean.

In most cases, after the scan for malware in the first step, the results will indicate whether your site has been blacklisted by other authorities. The review process should be similar to Google Search Console. For example, the McAfee blacklist has a review submission form, and both Bing and Yandex have their own webmaster tools that you should sign up for.

Other popular blacklist authorities:

  • McAfee SiteAdvisor
  • Bing Blacklist
  • Yandex Blacklist
  • Norton SafeWeb
  • PhishTank
  • Spamhaus
  • BitDefender
  • ESET

3.2 - Request Security Review

If you do not request a review, Google may think you haven't finished the site cleanup. By requesting a review, you are telling Google that you are ready for them to rescan your site. Google is now limiting repeat offenders to one review request every 30 days. Do not try to trick Google either, as it may not pass the review process. For example, if the site is empty, it won't pass a review. Be sure your site is clean before proceeding!

To request a security issue review from Google:

  1. Navigate to the Security Issues tab in Search Console.
  2. Review the issues to confirm all have been cleaned.
  3. Check the box to confirm I have fixed these issues.
  4. Click Request a Review.
  5. Fill in the information with as much detail as possible about what was cleaned.

To request a spam review from Google:

  1. Navigate to the Search Traffic tab in Search Console.
  2. Click the Manual Actions section.
  3. Review the issues to confirm all have been cleaned.
  4. Click Request a Review.
  5. Fill in the information with as much detail as possible about what was cleaned.

The process will be similar for other blacklists such as McAfee, Bing, Yandex, and Norton.

3.3 - Wait and Protect Brand

Once you have submitted the blacklist removal request it can take a few days for Google to review your site.

Have Google Recrawl Your Site

If the title and description of your web pages were infected with spam, it can take time for your search results to change back. This is because Google only crawls your site every so often. Fortunately, in Search Console, you can ask Google to refresh certain pages and the links on those pages.

To force Google to recrawl your site:

  • Navigate to the URL inspection tool.
  • Enter your homepage or leave the field blank.
  • Hit the enter button and wait.
  • Click Request Indexing to complete the process

This will have Google crawl your site or page. If you have other pages showing in Google search results with spam in the title and description, you can also crawl those pages separately.

Remove Spam URLs

If spam pages were removed from your site, they may have been indexed by Google already. The spam pages can create 404 (Not Found) errors when they are removed from your site. You can use the URL Removal Tool to tell Google these spam pages should be removed from their index.

To remove spam URLs causing 404 errors:

  • Navigate to the Google Index tab in Search Console.
  • Click the Remove URLs section.
  • Click the Temporarily Hide button.
  • Enter the URLs of spam pages that have been removed.
  • Click Continue.

Website Protection

You should also consider taking more steps to harden and protect your site. This includes applying updates, maintaining a good website backup strategy, managing user privileges, and implementing website security controls.

The number of vulnerabilities exploited by attackers grows every day. Trying to keep up is challenging for administrators. Website Firewalls were invented to surround your website with a professional defense system.

Benefits of using a website firewall:

  1. Prevent a Future Hack

    By detecting and stopping known hacking methods and behaviors, a website firewall keeps your site protected against infection in the first place.

  2. Virtual Security Update

    Hackers quickly exploit vulnerabilities in plugins and themes, and unknown ones are always emerging (called zero-days). A good website firewall will patch your holes in your website software even if you haven’t applied security updates.

  3. Block Brute Force Attack

    A website firewall should stop anyone from accessing your wp-admin or wp-login page if they aren't supposed to be there, making sure they can’t use brute force automation to guess your password.

  4. Mitigate DDoS Attack

    Distributed Denial of Service attacks attempt to overload your server or application resources. By detecting and blocking all types of DDoS attacks, a website firewall makes sure your site is available if you are being attacked with a high volume of fake visits.

  5. Performance Optimization

    Most WAFs will offer caching for faster global page speed. This keeps your visitors happy and is proven to lower bounce rates while improving website engagement, conversions, and search engine rankings.

Share this post

Comments (0)

Leave a comment

Powered by Simple Blog