Google Safe Browsing "Deceptive site ahead" warning

What’s actually happening

Visitors hit a full-screen red page instead of your site, and most click away immediately. The same warning shows up in Firefox and Safari because they pull from the same Google Safe Browsing list. Organic traffic falls off a cliff within hours of listing, and the URL often gets demoted or pulled from search results too. The warning sticks until you clean the site and pass a re-review.

Common causes

• A hacked site serving injected phishing pages or fake login forms, usually in directories you never created
• Malware or a drive-by download script injected into theme files, plugins, or the database (often base64-encoded JavaScript appended to legitimate files)
• An outdated plugin or theme with a known RCE/upload vulnerability that gave an attacker a foothold
• Stolen or weak admin/FTP credentials used to plant content
• User-generated spam (comments, forum posts, open redirects) pointing to phishing or scam domains, which Google attributes to your domain

How to fix it

1. Confirm the listing and read the exact reason in Search ConsoleOpen the property in Google Search Console and go to Security & Manual Actions -> Security issues. Google names the category (Social engineering, Malware, or Harmful downloads) and lists sample affected URLs. Cross-check at transparencyreport.google.com/safe-browsing/search by entering your domain. If the property is not verified yet, verify it now via DNS TXT or HTML file upload.
2. Find and remove the injected contentScan the filesystem and database. Look for recently modified PHP files (`find . -name '*.php' -mtime -14` over the webroot), unfamiliar files in /wp-content/uploads, base64_decode/eval/gzinflate blobs, and rogue admin users. Compare core files against a clean download of the same version. Pull the malware, not just the symptom — a single backdoor will reinfect you in hours if left behind.
3. Close the entry point and rotate every credentialUpdate WordPress core, every plugin, and the theme to current versions. Delete anything you are not actively using. Reset the admin password, database password, all FTP/SFTP and hosting panel logins, and any API keys. If you do not know how they got in, assume credentials were stolen.
4. Request a reviewBack in Security issues, expand the issue, tick "I have fixed these issues," then Request Review. Write what you found and what you changed — vague requests get bounced. Malware reviews often clear within a day; social-engineering reviews can take several days. Do not submit until the site is genuinely clean, because a failed review pushes you to the back of the queue.
5. Re-scan after the warning liftsReinfection is common when the original hole is missed. Keep a malware scanner running, watch Search Console for a week, and confirm transparencyreport.google.com shows the domain as clean.