What to Do When Your Site is Blacklisted on Google

Google blacklists sites for many reasons, but most webmasters are unaware that there is a problem until they notice that their organic search traffic drops to almost zero visits. If you aren’t registered with Google Search Console, you will not receive notice when Google removes you from their search index. With some digging, you might find that you are removed from the search index even without being registered with Google Search Console. Although it’s a frustrating and stressful experience, you can follow steps to get your site back into Google’s index and regain organic traffic.

Why Does a Site Get Blacklisted on Google?

Blackhat search engine optimization (SEO) isn’t the only reason sites are blacklisted on Google. A site owner could have unknown malware on their site, or they could unknowingly perform specific actions on their site that could be considered blackhat. Once Google’s crawlers find the malicious content, it’s removed from the search engine and no URLs display when users execute queries that match your keywords.

One of the most common reasons sites are removed from Google is hacked content. Hacked content can mean several things. An attacker could upload malware to a site server and host it for download. It’s possible for a site to be a victim of persistent cross-site scripting (XSS), which means that malicious content is injected into the site’s database and shown to users. Attackers able to hack into a site can also hide malicious links or redirect users to a phishing site.

If Google finds anything suspicious on a website, it flags it as hacked or a site that hosts malware. The site is added to Google’s Safe Browsing database where it’s used to warn users. Any browser such as Chrome or Firefox that integrates Safe Browsing into the software will display a red interstitial window before passing the user to the website. The warning page tells the user that your site hosts malicious content and persuades users to go back to search and find another site.

A few other reasons Google blacklists sites include:

• Adding links to hidden sections of your site that display to crawlers and not to human readers
• “Spinning” content by using machine-generated content used to attract search engines but unreadable for users
• Using plagiarized content and having several DMCA (Digital Millennium Copyright Act) complaints filed against your site
• “Keyword stuffing” by using repeated keywords within content, making it unreadable for users
• Purchasing links to artificially increase search engine rank
• Injecting phishing content or malware

What to Do If Your Site is Removed from Google Search

The first step is to register with Google Search Console. If your site no longer displays in Google search or you receive warnings about your site in a browser, Google Search Console will show a message alerting you to the issue. The message may also give you more information about the issue so that you can remediate it more quickly.

If you don’t have access to Google Search Console, you can also run a quick search in Google’s Transparency Report (transparencyreport.google.com/safe-browsing/search?hl=en).  The Transparency Report will display any suspicious or malicious links on your site. You can run a search at any time to verify that Google’s crawlers have not found any suspicious content.

Registering your site in Search Console and running a Transparency Report query, you can determine if your site has been blacklisted and take the necessary steps to fix the issue. The next steps are where webmasters struggle. You might not know if you’ve been hacked, and even if you realize that you’ve been hacked you must find the issue, contain it, and fix the vulnerability.

WordPress is a common target for hackers, so you can first disable plugins and re-enable them one at a time to identify which one is the culprit. Always be cautious with WordPress plugins. You should only download plugins from reputable developers. For large sites, it helps improve the cybersecurity of your site by having a code review of the plugin to ensure that there are no backdoors or malicious code included.

For custom sites, you must first find the vulnerability in your code and then ensure no malicious content is stored in your database. It helps to first identify where the malicious code displays on the site, and then trace it back to the database if it’s stored there.

Another common target for Linux-based sites is the .htaccess file. If this file is hacked, users can be redirected to a phishing site. When Google picks up on the hacked file, it flags your site for phishing. Usually, hackers inject code that conditionally redirects users so that it hides the phishing material from the site owner. You can usually determine if it’s a conditional redirect by finding your site in a search engine and clicking your site link to identify if it redirects to a malicious site.

After you clean the site, you must request a review in Google Search Console. In the Search Console tool, you will see a button that says “Request a Review.” Clicking this button will trigger a new crawl of your site to ensure that the malicious content is gone. Should the crawler find no more malicious content, your site URLs will be restored to their location in the search results. If it does, then you must review the site again, remove malicious content and ask for another review.

To avoid having this issue in the future, you can install a security plugin if you run WordPress. Monitoring your site for suspicious behavior or malicious code will also help you identify issues before Google does, which you can then remediate so that you do not have the stress of quickly removing malicious content after being removed from the search index.

Conclusion

A hacked site can be devastating for a business, but it’s even more devastating on revenue when your website is blacklisted and removed from Google’s search engine. You can avoid this issue by monitoring your site, and you can receive notifications in case Google finds anything suspicious by registering with Google Search Console.