Fix: Google 'Dangerous Site' / 'Deceptive Site Ahead' Warning

Remove the red 'Deceptive site ahead' or 'The site ahead contains malware' warning shown by Google Chrome and Safe Browsing by cleaning your website and requesting a review through Google Search Console.

Troubleshoot 5 min read Updated 2026-05-13 Intermediate Cynet Support

Quick Answer

Google shows this warning when Safe Browsing detects malware, phishing, or harmful content on your site. To remove it: (1) Verify ownership in Google Search Console, (2) check the Security Issues report to see what Google flagged, (3) clean the infected files and reset credentials, (4) then click Request Review in Search Console. Reviews typically clear within 24–72 hours once the site is clean.

If visitors see a full-page red warning such as "Deceptive site ahead", "The site ahead contains malware", or "This site may harm your computer" when they open your website in Chrome, Firefox, or Safari, your domain has been flagged by Google Safe Browsing.

Safe Browsing is used by all major browsers, so a single flag effectively blocks most of your traffic until the warning is lifted. This guide walks through identifying the issue, cleaning the site, and submitting a successful review request to Google.

Symptoms

  • A full-page red warning appears before the site loads in Chrome, Edge, Firefox, or Safari
  • Google search results show "This site may be hacked" or "This site may harm your computer" below your listing
  • Traffic and conversions drop sharply, often within hours of being flagged
  • Email links to your domain are blocked or land in spam
  • Google Ads or Search Console emails report "Security issues detected on your site"

Common Causes

Google typically flags a site for one of the following reasons:

  • Malware — Malicious scripts injected into PHP, JavaScript, or .htaccess files (often via outdated WordPress, plugins, or themes)
  • Phishing pages — A hacker has uploaded fake login pages (banks, Microsoft, Google) into your hosting
  • Deceptive content — Misleading download buttons, fake "your computer is infected" ads, or social-engineering popups (often from compromised ad networks)
  • Unwanted software — Auto-downloading files, browser hijackers, or bundled installers
  • SEO spam / Japanese keyword hack — Hidden links or pages selling counterfeit goods inserted into your site
  • Compromised third-party scripts — A library you load (analytics, chat, ad tag) was hijacked

Step 1: Verify Your Site in Google Search Console

If you haven't already, you'll need Search Console access to see what Google detected and to request a review.

  1. Open search.google.com/search-console
  2. Click Add property → enter your domain (use the Domain property if possible — it covers all subdomains)
  3. Verify ownership using one of:
- DNS TXT record (recommended) — Add the TXT record provided in cPanel → Zone Editor - HTML file upload — Upload the provided verification file to /publichtml/ - HTML meta tag — Add the meta tag to your homepage's <head> section

Once verified, give Search Console a few minutes to load your data.

Step 2: Check the Security Issues Report

  1. In Search Console, open Security & Manual ActionsSecurity Issues
  2. Google will list the exact category of the issue (malware, social engineering, harmful downloads, etc.) and one or more example URLs
  3. Click each issue to expand it — Google often shows the type of malicious code or behaviour detected
Write down or screenshot every example URL. These are your starting point for clean-up.

Step 3: Review Detections in Imunify360

Option A — cPanel Imunify360

All Cynet hosting accounts include Imunify360, which runs as a real-time malware scanner — there is no "scan now" button because every file write is inspected as it happens. Your job is to review what it has already detected.

  1. Log in to cPanel
  2. Open Imunify360 under the Security section
  3. Go to the Malicious tab — this lists every file Imunify360 has flagged as malicious
  4. For each detection you can:
- View the file path and the malware signature that matched - Clean the file (Imunify360 removes the malicious code while keeping the legitimate parts of the file) - Move to Quarantine if you want to keep a copy for investigation - Delete the file outright
  1. Re-check the Files tab a few minutes later — the list should be empty or only show "Cleaned" entries
If you don't see any detections but Google still flags the site, move on to a WordPress plugin scan and an external scan — Imunify360 is excellent but no single scanner catches everything.

Option B — WordPress Security Plugin

If your site runs WordPress, install one of the following and run a full malware scan:

  • Wordfence (free) — WordfenceScan → enable "Scan files outside your WordPress installation"
  • Sucuri Security (free) — Sucuri SecurityMalware Scan
  • MalCare (paid) — Strong at detecting hidden/obfuscated malware

Option C — External Scanners

Cross-check with public scanners (they only see public-facing pages, but they're useful for verification):

Step 4: Clean the Infection

Work through every issue identified by the scans:

Restore from a Clean Backup (Fastest, if available)

If you have a known-clean backup from before the infection, this is almost always the quickest and safest fix:

  • Your own backup — If you keep local or off-server backups (downloaded full backup, plugin backup such as UpdraftPlus, or a staging copy), restore /publichtml/ and your database to a date before the compromise. In cPanel use Backup Wizard or File Manager to upload and extract, and phpMyAdmin to import the database
  • Cynet server backup — Cynet retains daily off-server backups of all hosting accounts. If you don't have your own backup, open a support ticket and tell us the rough date when the site was still clean. We can restore your entire account, just /publichtml/, or only specific files/databases from our server-side snapshots
After any restore, recheck Imunify360's Malicious tab to confirm no malicious files were brought back, and continue to Step 4 (Reset All Credentials) — restoring files does not invalidate stolen passwords.

Manual Clean-Up

If no clean backup is available:

  1. Remove malicious files identified by the scanner — be careful to keep legitimate WordPress core, theme, and plugin files
  2. Check core file integrity — In WordPress, reinstall core via DashboardUpdatesRe-install version X.X.X
  3. Replace themes and plugins — Delete each one and reinstall fresh copies from official sources. Never reuse "nulled" or pirated plugins — they're the most common malware vector
  4. Scan .htaccess files — Look for unusual RewriteRule, Redirect, or Header directives. A clean WordPress .htaccess is short and well documented
  5. Check wp-config.php — Look for prepended PHP code (often base64-encoded) before <?php
  6. Clear the database — Use a plugin like Wordfence to scan database tables for injected content (look in wpoptions, wpposts)
  7. Remove unknown admin usersUsersAll Users — delete any account you don't recognise
  8. Check scheduled tasks (cron) — cPanel → Cron Jobs — remove anything you didn't create

Reset All Credentials

Even after cleaning, assume credentials were stolen. Change:

  • cPanel password — See How to Reset Your cPanel Password
  • FTP / SFTP passwords — cPanel → FTP Accounts → change each password
  • WordPress admin passwords — For every admin user
  • Database password — cPanel → MySQL Databases → change password, then update wp-config.php
  • Email passwords — Especially the address used for password resets
  • Enable 2FA — Turn on two-factor authentication where available (see Enable 2FA for cPanel and Webmail)

Patch What Let Them In

  • Update WordPress core, all plugins, and your theme to the latest versions
  • Remove plugins and themes you don't actually use — every inactive plugin is still an attack surface
  • Switch PHP to a current, supported version via cPanel → MultiPHP Manager
  • Confirm SSL is active and HTTPS is forced (see How to Set Up SSL Using AutoSSL)

Step 5: Verify the Site Is Clean

Before requesting a review, you must be confident the site is actually clean — Google will re-flag you almost immediately if malware is still present, and repeated rejections delay the review.

  1. Recheck Imunify360's Files tab and re-run Wordfence / Sucuri — there should be zero active detections
  2. Use sitecheck.sucuri.net for a fresh second opinion
  3. Visit each example URL from the Search Console Security Issues report — confirm they no longer contain the flagged content
  4. Open your site in an incognito/private window on a clean device and click through key pages

Step 6: Request a Review in Google Search Console

Once the site is verified clean:

  1. Go to search.google.com/search-console
  2. Open Security & Manual ActionsSecurity Issues
  3. Click Request Review next to each issue
  4. In the review form, describe the actions you took. Be specific — vague answers are often rejected. Example:
> Identified malware via Imunify360 and a Wordfence scan. Cleaned 14 injected PHP files in /wp-content/uploads/ and /wp-content/plugins/ (cleaned via Imunify360, then verified manually). Reinstalled WordPress core, deleted and reinstalled all plugins and the active theme from official sources. Removed an unknown admin user "wpadmin2". Reset cPanel, all WordPress admin, FTP, database, and email passwords. Updated WordPress to 6.x and PHP to 8.2. Confirmed clean with a fresh Sucuri SiteCheck scan and an empty Imunify360 Files tab.
  1. Submit the request

What to Expect

  • Typical turnaround: 24–72 hours for malware/unwanted software; phishing reviews can clear within hours
  • You'll receive an email at the address used to verify Search Console once the review completes
  • If the review is approved, the browser warning is lifted globally within a few hours of approval
  • If the review is denied, Google will list what's still detected — clean those items and resubmit

Step 7: After the Warning Is Lifted

  • Don't celebrate by re-enabling old plugins — many infections recur because the original vulnerability wasn't fully fixed
  • Set up daily backups — JetBackup in cPanel runs automatic backups; verify they're enabled for your account
  • Install a security plugin going forward — Wordfence, Sucuri, or Solid Security with file-change alerts enabled
  • Subscribe to Google Search Console email alertsSettingsUsers and permissions — so you're notified instantly if Google detects something in future
  • Limit admin accounts — Use strong passwords and only grant admin rights to people who genuinely need them

Prevention Checklist

  • Keep WordPress core, plugins, and themes updated weekly
  • Use only plugins and themes from the official WordPress.org repository or reputable paid vendors — never "nulled" downloads
  • Enforce strong passwords and 2FA on every admin account
  • Restrict /wp-admin access by IP where practical (see Whitelisting an IP in the Firewall)
  • Disable file editing in WordPress by adding define('DISALLOWFILEEDIT', true); to wp-config.php
  • Leave Imunify360 enabled (it scans in real time on Cynet hosting) and add a WordPress-level scanner such as Wordfence as a second layer
  • Review Google Search Console at least monthly for security and coverage issues

When to Contact Cynet Support

Open a support ticket if:

  • Imunify360 shows detections but you're unsure whether to clean, quarantine, or delete a file
  • You need a server-side backup restored (we keep daily off-server snapshots)
  • The malware keeps returning after every clean-up (suggests a deeper compromise)
  • You need help restoring from a JetBackup snapshot
  • The Search Console review has been rejected more than twice
  • You believe a server-level (not site-level) compromise is involved
Provide the example URLs from your Search Console Security Issues report when you open the ticket — it dramatically speeds up the investigation.
Google Safe Browsing deceptive site malware phishing Search Console blacklist security review request

Was this article helpful?

Not sure which hosting plan is right for you?

Get a personalized recommendation in under 60 seconds.

Find the Right Plan