Although you’re not aware of anything changing on your WordPress site, suddenly, there’s a “Dangerous Site” warning by your site’s URL in your browser’s address bar, and you’re not sure what happened.
A huge red warning screen appears on Google Chrome, Mozilla Firefox, Apple Safari, and other browsers when anyone comes to your WordPress site. It says your site “is dangerous or deceptive.” This warning screen strongly suggests that visitors should not continue to your site, making it hard for them to do so.
Maybe you’ve seen this, or it has happened to you.
What has gone wrong?
In brief, your site has been blacklisted by the Google Safe Browsing service as a “phishing” or “malware” infected site.
Of course, this is bad. Very bad. But you will be able to fix it.
iThemes Security integrates with the Google Safe Browsing API to show your current blocklist status. If your site is marked as deceptive, you’ll have to go through the steps of clearing it and restoring your reputation with Google.
Unfortunately, if your site has been flagged by Google, it’s probably been hacked for several days. You’re now reacting to a security breach that could have been prevented from occurring in the first place.
That’s why the Site Scan feature in iThemes Security Pro is so important. It will notify you right away when there’s a known vulnerability on your WordPress website so it can be addressed before it’s exploited by a hacker.
In this guide, you’ll learn how to clear a site that’s been flagged as deceptive. We’ll cover all the details of why your site has been marked as deceptive and exactly what you need to do to get off the blocklist and recover. We’ll also show you how to prevent this from ever happening again by hardening your site’s security with iThemes Security Pro.
What Is the Deceptive Site Ahead Warning?
Simply stated, the Deceptive Site Ahead warning is Google screaming at all of your site users that your site is not safe for browsing. In other words, your site has malware on it that can infect visitors’ devices, or it’s being used to make phishing attacks with phony forms that collect sensitive information. Your visitors may be exposed to pages full of spam or unsafe, inappropriate content. Or, they may encounter forms that ask for personal information, passwords, or credit card details.
The Deceptive Site Ahead warning appears when a visitor to your infected site clicks through from a search result. It will appear as a large red warning screen (often referred to as the red screen of death) before the user clicks through to the site. Your site will be marked “Dangerous” in visitors’ browsers’ address bar.
But the warning isn’t exclusive to only Google or Chrome. This is because all of the other browsers are using the same blocklist from Google to protect users. Because of this, whether a user accesses your site with Chrome, Firefox, Safari, IE, or Opera, they’ll still see a variant of the same warning.
How to Confirm a Site had Been Flagged as “Deceptive”
The Site Scan feature in iThemes Security Pro will notify you immediately if your site has landed on Google’s list of deceptive and suspicious sites because it integrates with Google’s Safe Browsing service, which is the source of their blocklist.
If you’re a Google Search Console user and have your WordPress site connected to your Google Search Console account, you’ll notice flagged warnings within the tab labeled “Security Issues.” The Search Console will send you emails about any security issues that arise with any site you have connected to it.
Another way to check if any site has landed on the Google Blocklist is to use the Google Safe Browsing search tool.
If these indicators show that your WordPress site has landed on the Google blocklist it’s almost certainly because your site has been hacked and is now deceptive to users. That is why Google is telling all your visitors that your site is probably dangerous to them. It’s a serious situation to be in as a site owner. Even if visitors aren’t damaged by a compromised site, their distrust can cause considerable loss to you, your site, your brand’s reputation, and any associated businesses or organizations.
Why Exactly Does the Deceptive Site Ahead Warning Appear On Your Site?
As you’ve already learned, the Deceptive Site warning is a definitive sign that your WordPress site has been broken into and hacked by an unauthorized user. However, Google may not provide specific information pinpointing the root cause of your site’s security breach. To narrow down the possibilities, you need to understand the three main categories of compromised sites Google will flag as “deceptive” and warn your visitors away:
- Your site contains malware or harmful programs. Visitors may be tricked into downloading and installing bad software, called malware, onto their computers. The malware may allow attackers to damage, control, or steal information from devices it infects.
- Your site tries to trick visitors into giving up sensitive information. Visitors may be subjected to “phishing” attempts to steal their passwords or credit card numbers.
- Your site tries to load programs from other suspicious sites. Visitors to your site may encounter pages that load bad scripts from other compromised or suspicious sites.
It’s important to be aware that the Deceptive Site warning is only one of the warnings Google uses to protect its users. Beyond the most serious situations that can bring up a warning, it’s possible that your site may contain one or more vulnerabilities that haven’t been exploited yet. It may not fully comply with proper security practices, such as using SSL-encrypted communication over HTTPS rather than HTTP. (A hacker monitoring an unencrypted WiFi network can steal users’ login credentials as they are passed to your site via unencrypted HTTP over an unencrypted network.)
Apart from a malware or virus infection, malicious backdoor files or code, phishing pages, and deceptive content, your site may have links to other questionable websites or domains Google has blocked for any of these reasons. In such cases, your site may also be flagged by Google, and visitors will be warned it is “not secure” or “may harm” their computer.
Needless to say, this is not good news for your site or your search rankings, even though Google no longer uses “safe browsing” as a page experience ranking signal.
As bad as the situation is, it would be much worse if the malicious attack had gone undetected. Now that you know your site is compromised, you’ll want to focus on identifying the specific causes and the extent of the damage so you can get it all cleared up as quickly as possible.
And remember, integrated with Google Safe Browsing API, the iThemes Security Pro Site Scan feature constantly scans your website to ensure it isn’t on Google’s blocklist due to malware or phishing. If Google has flagged your website as infected with malware, Site Scan will tell you, and it will also confirm when you are no longer on the blocklist.
How Do You Get Rid of The Deceptive Site Warning?
To remove the Deceptive Site Ahead flag from your site, you’ll first have to get rid of the malware infection that’s triggering the warning. Below, we’ll show you in detail what the steps are to removing malware from your WordPress site.
Here are the key steps to securing your site and getting rid of the deceptive site warning:
- Scan your site for vulnerabilities and malware.
- Update or remove vulnerable themes and plugins.
- Find and remove any malware from your site.
- Submit a request to Google to have the warning flag removed.
- Confirm you are no longer on Google’s Blocklist.
Before you start, keep a few key things in mind.
- Act Quickly! Other than the fact that removing malware can be a complex process, Google will be tracking how long it takes you to resolve a security issue with your site. This means that now is not a time to delay your response.
- Be Careful and Get Help. For most non-expert WordPress users, clearing malware is extremely difficult to do on their own and can lead to a broken site. If you need help, consult an expert, and make sure the sources of advice you consult online are authoritative.
- Fix the Root Problem. There’s a reason your site was hacked. It has underlying security issues that hackers were able to exploit. This could be vulnerable code or breached credentials for your WordPress site, your hosting account, or even your FTP username and password. If you remove the malware but don’t resolve the vulnerabilities, there’s a high probability that your site will be re-infected.
- Choose Plugins Wisely and Keep Them Updated. While there are many different ways that a hacker can break in, Patchstack reported in 2021 that over 90% of all vulnerabilities added to their database that year were in free plugins. You may need to stop using a poorly supported (or unsupported) plugin or start making timely updates to your site and plugins. WordPress itself and all well-supported plugins offer security updates as soon as they are aware of a vulnerability — but you have to make sure these updates are applied on your site. The iThemes Security plugin can help you make these decisions to ensure your site is protected.
Now, let’s look at the steps required to clear your site and remove the Deceptive Site Ahead warning for good.
1. Scan Your Site For Vulnerabilities and Malware
First, you need to find any malware that may be on your site.
You can use an online scanner such as Sucuri SiteCheck to scan for malware. Sucuri will scan all of the front-end code on your site that’s visible to the public. It’s a good initial step to take because it will confirm blacklisting and flag any known malware or malicious code embedded in your site’s pages and posts. It can also detect some errors and out-of-date software, but it is limited in what it can see and identify on the public-facing side of your site.
If you’re an expert, you can also do a manual scan through all your back-end files. Most reputable web hosts offer additional helpful tools and services to scan your site for vulnerabilities and malicious code. With quality-managed WordPress hosting taking care of security, you don’t need the added overhead of a malware scanner installed in WordPress.
If you’re using iThemes Security Pro and have enabled the Site Check features, iThemes Security Pro will already be reporting any issues flagged by Google Safe Browsing. If you aren’t using these features, you should turn them on now. Be sure to activate and set up iThemes Security Pro’s daily scanning tools if you haven’t yet. Make sure you’ve properly configured the reports to be emailed to you and anyone else responsible for your site’s security.
iThemes Security Pro will also report vulnerable plugins and themes or WordPress core vulnerabilities. Usually, these can be fixed by running needed updates. iThemes Security Pro will also report those needed updates to you with its dashboard alerts and emailed notifications. You should make all available updates immediately, but take note of the source of any reported vulnerabilities. They may be the entry point that was used to compromise your site.
Finally, iThemes Security Pro will report site errors and changes to files. You should set up file change detection to monitor core WordPress files and the /wp-content folder, especially the /plugins and /themes folders inside it. Normally, files in these folders should only change when there are core, theme, and plugin updates. Any other unexpected changes may indicate malicious activity.
2. Remove Any Malware and Bad Content From Your Site
After reviewing Google’s Safe Browsing report and scanning your site with iThemes Security Pro and the other tools we’ve mentioned, you probably have uncovered some likely sources of penetration and damage. Phishing pages and other bad content you didn’t put on your site may be highly visible and easy to find too.
Now that you see where the problems are that are driving the Deceptive Site Ahead warning, it’s time to get rid of any malware and unwanted links or other content. You are now in a position to make an informed description of the symptoms, if not a full diagnosis, of your site’s dysfunction. This is vital for focusing your cleanup work or explaining it to an expert to help them help you.
Do It Yourself
How to Clean a Hacked WordPress Site is our comprehensive guide to a thorough cleanup for hacked sites. You must perform these tasks quickly, and if this is beyond your expertise or capacity we recommend hiring an expert or using a trusted malware removal service.
The third-party service option we recommend is Sucuri. Hiring them for Website Malware Removal is a guaranteed win. Sucuri is our recommended hack repair and website malware removal partner. They offer live chat 24/7 and timely turnarounds on malware removal and hack repair. If your site has been deeply compromised, taken offline, or you’re unable to regain access to it, Sucuri can help.
Hire a WordPress Security Expert
Another option is to hire a WordPress security expert to help you out. Of course, we won’t speak for the effectiveness of other security experts. But make sure they are fully versed in the intricacies of WordPress security and the exact situation you presently find yourself in.
Some WordPress security experts are very expensive. And this is for a very good reason: What they do isn’t easy and can be quite technical. But how much is your site, brand, and reputation worth to you?
3. Get the Deceptive Site Ahead Warning Removed By Google
After all of the malware is cleaned from your site, it’s time to get the warning taken down by Google and return to business.
To do this, simply navigate to the Google Search Console and go to Security & Manual Actions >> Security issues. From here, select the button that says “Request Review.”
In a short amount of time, Google will take another look at your website, and they will remove the Deceptive Site Ahead warning after they remove it from their blocklist.
Of course, this will only happen if all of the malware has been properly removed and your site’s vulnerabilities have been shored up. If your site fails the review, it’s time to hire an expert. If your requests are rejected too many times Google will classify you as a “Repeat Offender” for thirty days and block you from additional reviews.
Google has some very nice documentation and a video about their review process that’s worth reviewing before you submit your request.
Avoiding the Deceptive Site Ahead Warning in the Future
Wouldn’t it be better to simply avoid getting on Google’s blocklist in the first place?
The most important lesson you can take from the experience of having your site hacked and blacklisted is that you can prevent it from ever happening again. All it takes are a few proactive, security-hardening steps.
Here are the six most important things you can do — quite easily with iThemes Security Pro — to make sure you never get hacked and land on a blocklist:
- Use quality hosting with SSL and enforce HTTPS by default. (iThemes Security Pro feature)
- Update WordPress and your plugins and themes as updates become available. (iThemes Security Pro feature)
- Choose plugins and themes carefully; they should be well-supported and issue security updates. Delete plugins and themes you don’t need or no longer use.
- Monitor known vulnerabilities affecting your site and changes to files that should not change much or at all. (iThemes Security Pro feature)
- Practice the principle of the least privilege. Don’t give people more access to your site than they need. Limit the number of users in the Administrator role and update them when those users’ roles change. (iThemes Security Pro feature)
- For your WordPress site user accounts with higher privileges, use all these features in iThemes Security Pro:
- Log and monitor user activity for your WordPress site users with posting, editing, and administrator privileges. (iThemes Security Pro Feature)
If you take securing your WordPress website seriously, you absolutely need to be following this basic checklist. It’s a short version of our recommended WordPress security best practices and the full iThemes Security Settings Checklist.
Security is not a one-time task that’s done and safe to forget about, but many of these settings will only need to be made once to provide a solid security foundation for your WordPress site. The tools that require more frequent attention — monitoring updates, vulnerabilities, and user activity — do need informed attention to be useful to you as a security measure.
With all of the malicious attacks happening on the web every day, the only safe and responsible security practice is to adopt a security mindset and review your site’s health on a weekly or even daily basis. If you do this, it is extremely unlikely your site will be hacked and added to Google’s blocklist.
You Can Do This!
Removing a deceptive site warning from your website may seem like a challenging undertaking, but it really doesn’t have to be. By following these steps, you can remove the warning in no time.
Of course, this is now the time to really think about protecting your most precious digital asset in the future. Make sure you have your Google Search Console account set up for monitoring security issues and make sure you have the best security available for WordPress to protect your site. iThemes Security Pro continues to be the trusted source for WordPress security protection in an era of ever more brazen digital attacks. Prevent malicious attacks and deceptive site warnings before they can even get started.
Dan Knauss is a Technical Content Generalist for StellarWP. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.