My WordPress Site Was Flagged by Google — What Now?

When Google flags a site, it's using its Safe Browsing database — a constantly updated list of sites that have been found distributing malware, hosting phishing pages, or engaging in other deceptive behaviour. When someone tries to visit a flagged site using Chrome (or any browser that uses the Safe Browsing API), they see a full-page red warning before they can proceed.

There are a few different types of flags Google can apply. "Dangerous site" usually means Google found malware or malicious downloads on your pages. "Deceptive site ahead" typically means a phishing page — content designed to steal login credentials. "Harmful programs" means the site was distributing software Google considers unwanted.

In Google Search Console, the Security Issues section will tell you specifically what type of issue was detected and which URLs were affected. If you haven't set up Search Console yet, this is the moment to do it — you need it to submit a review request after you've cleaned up.

One important thing to know: Google does not flag sites in real time. There's usually a lag of days or even weeks between when malware appears on a site and when Google detects and flags it. Similarly, the flag won't be lifted the moment you clean up — you need to request a review, and that process takes time.

False positives happen, but they're rare. If Google is flagging your site, the most likely explanation is that malware is present — even if you can't see it yourself. Attackers are skilled at hiding malicious code from site owners while serving it to visitors and search engines.

The most reliable way to check is to use Google's own Safe Browsing tool. Go to Google's Transparency Report (search for "Google Safe Browsing site status") and enter your domain. It will show you Google's current assessment and when the site was last checked.

You should also check your hosting provider's malware scanner. Most cPanel-based hosts (SiteGround, Bluehost, Namecheap, etc.) include a malware scanner in the hosting panel. Run a full scan from there.

If both Google's tool and your host's scanner come back clean, you may genuinely be looking at a false positive — or at malware that's evading detection. In the false-positive case, you can submit a review request immediately. If you suspect missed malware, contact your host's support team before submitting the review.

Step 1: Identify what Google found. Log in to Google Search Console, go to Security & Manual Actions → Security Issues. Note every URL listed. These are the pages where Google found the problem.

Step 2: Clean the infected pages. The safest approach is to restore your site from a clean backup from before the infection. If you don't have a clean backup, contact your hosting provider — many can restore from their own server-level backups. If a restore isn't possible, you'll need to manually remove the malicious code, which is harder to do correctly.

Step 3: Close the entry point. Cleaning the malware without fixing the vulnerability that let attackers in is pointless — they'll be back within days. Run a security scan on your site to identify which vulnerabilities are present. The most common entry points are outdated plugins with known CVEs, exposed XML-RPC, and directory listing enabled.

Step 4: Submit a review request to Google. Once you're confident the site is clean, go back to Security Issues in Search Console and click "Request Review." You'll need to describe what you found and what you did to fix it. Be specific — "I removed malicious code from index.php and updated all plugins" is better than "I fixed the problem."

Step 5: Wait. Google's review process takes 1–3 days in most cases, though it can take up to a week. The warning won't disappear until the review is complete and Google re-crawls your site.

If you've confirmed an active infection, you have an obligation to notify any users who may have been affected — especially if your site collects personal information, handles logins, or processes payments.

This doesn't have to be a formal legal notice (though depending on your location and the data involved, it might be). At minimum, send an email to your users explaining what happened, what data may have been exposed, and what you've done to fix it.

If your site collects payment card data, stop processing payments immediately and contact your payment processor. A compromised WooCommerce store or booking system that handles card data has legal implications under PCI-DSS, and your payment processor needs to know.

For service businesses with a contact form or email list: change your email account passwords and check whether any emails were accessed or sent without your knowledge.

Here's a realistic timeline for recovering from a Google flag:

Day 1: Discover the issue, contact your host, run malware scan, start cleanup or restore from backup.

Day 2–3: Finish cleanup, verify the site is clean, fix underlying vulnerabilities, submit review request to Google.

Day 3–7: Google reviews and re-crawls. Warning is lifted once Google confirms the site is clean.

Week 2 onwards: Monitor Search Console for any recurrence. Watch your search traffic — it typically recovers within a few weeks after the flag is lifted, but it can take longer for heavily affected sites.

The sooner you act, the better. Every day the flag is up, you're losing traffic and visitor trust.

Google flags sites that have already been compromised. The prevention is identical to standard WordPress hardening: keep everything updated, close the most common attack vectors, and monitor regularly.

The specific vulnerabilities that most often lead to infections — and therefore Google flags — are outdated plugins with known security issues, directory listing that lets attackers map your file structure, and XML-RPC that lets them brute-force credentials.

Weekly automated scanning catches new plugin vulnerabilities as they're disclosed, so you can update before attackers exploit them. That's the window — between a CVE being published and sites being mass-exploited — where monitoring pays off.