What is a Malware Warning?
If you’ve logged into your Google Search Console account recently and seen the following notification next to your property, you may have understandably started to panic:
Clicking on the ‘Check property health’ link will present you with three possibilities:
- Is robots.txt blocking important pages?
- Malware detected?
- Important pages removed?
Each option will have either a green tick next to it, indicating that this isn’t the problem, or an orange exclamation mark, meaning something is wrong in this area.
If your robots.txt file is blocking important pages, use the Search Console report and work with your web developer to discover what’s being blocked to rectify the problem as soon as possible. Take the same approach if important pages have been removed. Search Console will provide you with information on which pages have been removed to help you fix the problem.
But if malware has been detected on your site, what does this mean? How will it affect your site, and what can you do to fix it?
Clicking on the malware warning will present you with a rather scary-looking message like this:
Why Have I Received This Message?
If you see this warning in your Search Console account, it means your site has been hacked. However secure you may think your site is, unfortunately there is no 100% guarantee against hacking.
Why does it matter? Well, as it states in the message, until the issue is fixed your site will display a warning to visitors trying to access it, which will look something like this:
Your site can also be labelled as potentially dangerous in the search engine results pages, with a message displaying underneath your domain stating ‘This site may harm your computer’.
These warning messages mean that Google has detected something suspicious on your site, which has probably been added without your knowledge.
Common causes of malware on your site include:
- A security hole, such as out-of-date plugins or software
- Stolen passwords
- Insecure permissions
- Ads provided by an advertising network
Understandably, a warning like the red one above would put anybody off visiting your site, and most people would instantly click the ‘Back to safety’ button and abandon their visit.
This can have a huge impact on your traffic. Recently, a client of mine had this exact problem which resulted in a 20% drop in organic traffic year on year.
If your traffic drops due to warnings like these, your conversions will drop too. This could be a huge problem for any site, but particularly for e-commerce websites.
Furthermore, if you use AdWords to promote your website, your AdWords account can be suspended if your website is flagged for malware. Read more here.
So if your site is affected by malware, your organic traffic will take a hit and your AdWords may not be there to save you. What’s the best plan of action?
How to Remove Malware From Your Site
- Click on the ‘Show details’ link on the malware message in Search Console for more information on the affected pages – download this data.
- Contact your web developer and hosting provider immediately to notify them of the problem and send them all the information you have.
- Ask them to look into the problem as a matter of urgency and remove any malicious content from the site. There is a good guide on how to do this here.
- Review your PC security with antivirus software – making changes to your site on an infected PC could harm your website.
- Update everything – your website software, any plugins you have installed etc. so that you have the latest versions.
- Change all passwords relating to your site.
- Check to see if your Adwords account has been affected. If it has, call the Adwords support team and try to resolve the issue.
- Work with your technical team to review your site security to ensure this doesn’t happen again.
Once you have identified the problems and removed any potentially harmful content from your site, it’s time to submit a review request via Google Search Console.
On the Security Issues page of your account, underneath the malware details, you will find the following tick box and button to request a review:
When you click the button, you’ll have the option to send an accompanying message with your request. Include details of all the work you have undertaken to resolve the issue here for Google’s reference.
A few days later you should receive a response message in Search Console from Google saying ‘Review successful for [your site]’. Hooray!
It can still take up to 72 hours for all warning messages to be removed and your AdWords account to be reinstated (if affected). When my client fixed their issue, it took several weeks for their traffic to fully recover.
Google has provided some good advice on how to prevent malware attacks here.