This blog post gives information and a step-by-step guide on how to act and clean your site after your website is flagged for malware by Google.
Google is very proactive when it comes to protecting the safety of its customers. They scan millions of websites each day, looking for spyware, viruses, and other kinds of dangerous malware that may put their users at risk.
Once Google has identified malware on a website, they will flag it as being a risk for visitors. This warning will be shared across all Google products, affecting how it appears in Google search engine results, Google Chrome, Google Adwords, and other Google products.
For website owners, having a site flagged for malware is a very nasty surprise that can cause significant damage. It may dramatically reduce web traffic, kill your business’s online profits, negatively impact search engine rankings, and shut the site down for users of the Google Chrome web browser.
Fortunately, fixing this issue is fairly straightforward. This guide will explain what malware is and why your website may have been flagged. Then, we will tell you what to do if your website is flagged for malware by Google.
Malware is short for malicious software. It refers to any piece of software that is intentionally designed to damage a server, computer, or computer network.
Malware can come in many forms including executable applications, scripts, and executable files. Hackers often attempt to place malware on websites with the following objectives in mind:
Malware is often inserted into a website after a successful brute force attack, Cross-Site Scripting (XSS) attack, or SQL injection attack.
It might also be added to your website via a vulnerability in a content management system, theme, or plugin. There are many types of malware including:
The most common reason for a website being flagged for malware by Google is that your website has been hacked. A hacker might have installed malicious files to which visitors to your website are exposed.
In some cases, hackers might simply add a redirect to send visitors coming to your website to another location containing malware.
Finally, Google might flag your website if it is linking to another website that contains malware. You will need to identify which links go to the compromised website and remove them.
If Google has flagged your website as containing malware, it will immediately take steps to protect its customers. The most significant change relates to how your site appears in Google search engine results.
When your website appears in Google’s results, it may also display a warning which says This site may harm your computer:
This type of warning is usually triggered by a website having redirects to unsafe content or spam pages. In some cases, this warning will appear if your website has been hacked and is being used to distribute malware.
When someone clicks on your link in Google’s search engine results, they may also be redirected to a Website Malware Warning. They must read this warning and click Ignore this warning or View details to get through to your website.
This warning typically causes websites to lose about 95% of their Google search traffic. It will look different based on the web browser you are using.
Website malware warning in Google Chrome:
Google will also display warnings on websites that it suspects are phishing. Phishing is an attempt to gather sensitive information like usernames, passwords, and credit card details from users by fraudulent means.
These warnings may also be displayed if the advertisements on your website are determined to be malicious. In Google Chrome, this warning looks like this:
Google uses a variety of terms to tell customers that a website has been infected with malware, including:
Users of Google Search Console, Google Analytics, or Google Adsense may also receive separate warnings about the presence of malware on their websites.
This usually includes email warnings from Google and notifications in the dashboard sections of the Search Console, Analytics, or Adsense.
There are several steps you need to take if your website is flagged for malware. The steps include identifying why it is flagged by reviewing your site, cleaning the site for malware, and more. Let's look into it step-by-step.
There are multiple ways to discover why your website was flagged for malware.
If your website has one of the large Website Malware Warnings listed above, you can click on More Information, Details, or Why Was This Website Blocked to learn more about the cause of the problem.
You can also check your website’s status via the Google Safe Browsing site status page. Simply type in your domain name and hit enter to perform a search. Google will return Site Safety Details and Testing Details.
The Site Safety details will tell you if the malicious content has been found on your website and where that content is located. It might be a list of malicious files on your domain or pages which contain spam content.
It could also be an external script, unauthorized redirect, hidden iframe, or another external source of malware that is affecting your website.
The Testing Details section will tell you the discovery date of the malware and the last scan date. This can help you identify files that are affected as you can perform a search for files modified after a certain date.
If you have added your site added to Google Search Console (highly recommended), you will have already received details of any malware present.
To take a closer look at the issues that Search Console has found, click on the Security Issues link. It will list all issues by category.
You can click Show details to take a closer look at a particular issue.
For each problem, Google will share a list of affected URLs, damaged pages, and the type of damage that has been caused. Copy this information into a text document so you can easily refer to it later.
Another method for checking which pages may have been infected is by searching for site:yoursite.com in Google (replace yoursite.com with your domain name).
Any page that has the text This site may harm your computer may have malware on it. This is a useful step for identifying infected pages or new pages added by a hacker.
Google uses the following categories for malware and hacked websites on their Website Malware Warning pages, in Google Search Console, and in Google Safe Browsing listings:
The next step is to remove the malware from your website. You may need to perform additional scans to determine where the malware is located on your website and database.
This can be a complicated process, so it is often worth enlisting the help of a specialist.
Create a new text document that you will use to keep track of the types of malware warnings that you have received, the affected URLs, and any other useful information.
Avoid visiting your website during this process, as you may spread the malware onto your computer. Instead, review pages using the Google Safe Browsing site and Google Search Console.
You can also use third-party site scanning products. They may prove you with additional information about the malware on your website and any security issues that are present.
When you need to examine a web page to check its content or to remove malicious content, do so with SFTP or SSH. Visiting the website via a web browser before you have removed any malware could make the problem worse.
You should make a backup of your website’s files and database before you begin this process. This will ensure that you can undo any accidental erasure of data or files.
Perform a scan of your website using some of the third-party tools listed above. This will help you identify malware locations, security issues, malicious payloads, and blacklist status with major authorities.
Make a note of malicious payload and file locations found by these programs.
These scans will help you determine if your website has been flagged by other security authorities. Once you have fixed your website, you may need to contact each authority to have your site removed from their blacklists.
You should also perform a scan of your website using a server-side antivirus application like ClamAV. This application will identify and remove most types of malware for you.
However, it is important to understand that a website vulnerability or backdoor may still exist after the malware has been removed. This vulnerability or backdoor will require manual patching.
Start by deleting any malware payloads on your domain that have been identified by your security scans. Malware payloads are usually standalone files that are inserted into pages or distributed to website visitors.
You may also have new pages added to your website which are full of malware or spam. Delete these files by logging into your server via SFTP or SSH and manually removing them.
If the scans have found that the pages of your website have been modified to include malware or redirects to a malware-infected page, you have two options for dealing with them.
If you are using a content management system like WordPress or Joomla, you can download source files from a trustworthy source and replace the infected files.
If you have an old backup of your website that you know is clean of malware, you can also use that.
You can manually log into your website using SFTP or SSH, then manually review each of the files to determine its authenticity and validity.
Start by sorting your file system by date. If there are new files that you don’t recognize, they may be a part of the malware distribution system installed by the hacker.
Manually check the files that are a part of your website for any alterations.
If you decide to manually review your website’s files and have a safe backup available, you can make the process faster. Log into your web server and use the diff command to compare your safe backup to the current website.
The command that will be used is:
So if your current website is located in the www directory and your backup website is in the backups/trusted-backup folder, use the command:
diff -qr x current-site /backups/trusted-backup/
You will receive a list of the modifications that have been made to your website’s files.
If the reports provided by Google or third party security scans have identified a URL associated with malware, you can also search for that URL in your files.
This may help you locate the page that is redirecting to that malware website or including its content.
When you perform this file review, remember that you aren’t just looking for malware. You are also looking for the backdoor that the hacker may have used to gain entry into the website.
Checkin the server, access, and error logs will help you learn more about how your website was infected. You might notice a new user has been logging into the server and you can check what commands they have been running.
If hackers have gained full access over your file system, they may have also inserted malware into your database. Tracking down modifications to your database may be time-consuming, but it must be done.
Alternately, you could restore an old database backup which you know is safe.
Google provides advice on their preferred method for cleaning each malware type. By following this advice, you can ensure that you have complied with their requirements.
Once you have identified and removed the malware, take steps to improve the security of your website.
Once you are certain that any malware and backdoors have been removed from your website, request a review from Google.
It’s important to understand that your website will only be eligible for one review every 30 days.
If you haven’t successfully removed the malware from your website, a failed review may mean a long wait. It usually takes a few days for Google to review a website.
Once your website has been reviewed and given the all clear, you should also have Google re-crawl it.
Thanks for reading, for more advice on handling malware contact our team at firstname.lastname@example.org