Guide to Dealing With Google's Malware Warnings

Have you ever visited a site only to be greeted with the image shown below? Do you leave quickly? Have you visited one of your own domains only to see this warning displayed?

Google reported attack site warning.

If Google detects that your site has been compromised, Google will tell you about it in Webmaster Tools. You can also have your Google Message Center messages forwarded to your email account. If the hacker inserted malware into your site, Google will also identify your site as infected in its search results to protect other users. If your default browser is Firefox, you will see the image shown above displayed.

The majority of blacklisted sites are legitimate websites into which hackers have inserted malicious content. Often, the site owners have difficulty, both in cleaning up their sites, as well as in removing malware warnings that seriously impact their sites' traffic and reputation.

If the site is your own site, you should click on the button "Why was this page blocked?" You should see an image like the one shown below. NOTE: I have removed the site identification information.

Safe browsing notice from Google.
Click thumbnail for larger image.

If your site is blacklisted and you want to resolve this issue, you should:

  1. Find out why your site has been blacklisted by interpreting Google's safe browsing advisory.
  2. Clean up and secure your site.
  3. Using Google's webmaster tools, request a malware review.

Interpreting Diagnostic Pages

First, you will first need to figure out what the safe browsing advisory is telling you. Determine what is blacklisted - the entire site, one page or one directory. You can get this information at the very top of the diagnostic page that says “Diagnostic page for <URL>”, where URL is the topmost level at which all web pages are blocked. Examples:

  • my-site.com/index.html – only this page
  • my-site.com/folder-name/ - everything below /folder-name
  • blog.my-site.com – the whole blog which is a subdomain of my-site.com
  • my-site.com - the whole domain and its subdomains

Next, you can see when Google lasted visited your site and when the suspicious content was found. You will find these dates listed under the paragraph "What happened when Google visited this site?

If you still don't understand why Google thinks your site is suspicious, the information about malicious and intermediary domains may help you identify and locate the source of the problem. This information can be found in the “What happened when Google visited this site?” section of the diagnostic page.

Clean Up Your Site

Once you know what the source of the problem is, you will then need to clean up your site. Then you will need to take some actions to make sure this does not happen again.

Normally, the easiest way to clean a site is to restore everything (files, database, configuration files) from a clean backup copy. You will need to make sure the hackers have not left any scripts on your site that could very well be hidden deep within your directory structure. You can delete all of the files from your site making sure you are not deleting files your host has put there. Before restoring the site from your backup, you will need to make sure the files on YOUR computer have not been compromised.

Make sure that the computer you use to work on your site is not infected with a virus or malware by running a scan or scans. You should do this on a regular basis. Make sure that your security software is up-to-date.

Next you should change all site passwords and update all third-party scripts you might use on your sites.

Request Malware Review

Once you have cleaned your computer (if it was infected) and republished your cleaned site, you will need to submit a request to have Google remove your site from their blacklist. This step is required! If not, it may take several weeks before the status of your site or sites is cleared. Once you submit the request, it should only take just a few hours to complete the review and remove the warning if your site is clean.

You request will do two important things:

  • First, it tells Google that you (as the owner of the site) are aware that there is a problem and have already taken action to remedy it.
  •  It puts your site on a priority list so that it should be scanned within 24 hours.

Reviews are approved if Google determines that your site shows no signs of being harmful or possibly deceptive to Google users.

Important Note: BEFORE you can request a review, your site must add your site to Google Webmaster Tools and verify ownership of the site.

Prevention

To keep your site safe, Google encourages all site owners to implement the maintenance and security plan created in Step 7: Clean and maintain your site.

What can you do to protect your site? While nothing guarantees absolute security, a few basic practices and principles can help you prevent website badware and protect your visitors. Preventing badware on your website requires protecting three things: your site itself, the password(s) used to upload content to the site, and the computer(s) used to upload content to the site. See Preventing badware: Basics for more details but the three areas are:

  1. Protect your site and monitor your site's health
  2. Passwords and permissions
  3. Protect your computer and network connections

Additional Resources