All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Google safe browsing
Anyone ever been marked as unsafe? Apparently my server has been hacked. I went to check in this afternoon and a big red screen pops up "Deceptive Site Ahead."
After clicking through some links and signing into google search panel, I was able to find some nasty malware in the plugins directory of my wordpress installation. Further checking around showed me more malware hidden in each of my domains public directories. Disguised with names like "about.php," "wp-editor" "send.php" "wp-l0gin.php" and some other randomly generated wp- files and folders.
I checked the access logs and it doesn't appear that anyone has logged into my server besides me. My general feeling is that the intrusion is a result of the recent wordpress upgrade to 6.4, since the upgrade and intrusion happened around the same time, and the malware was placed inside of wordpress and creates files to mimic wordpress.
I'm sad to report that the affected site is protected by wordfence, so I'll be seeking other security options.
At this point I'm watching very closely to see if there are any signs of malware reappearing, but I'm thinking about reinstalling everything just to be on the safe side. I have backups. Slightly dated so I'll lose a little work but not too much. Probably safer that the backups are a bit old since it's less likely they'll be contaminated by any new exploits.
TLDR
After a site has been placed on Google's Safe Browsing advisory list and marked as deceptive, how long and how much effort will it take to get that status removed?
Will deleting the offensive files be enough to earn a good reputation or should I just go ahead and reinstall?
Is it even worth the headache trying to deal with it or should I just move on and mark the domain as a loss?
Comments
I can tell you that 99% of the ones I have read have hacked me there is always a relation with "WORDPRESS" I am sorry to tell you, nowadays it is the most hacked framework.
Every time it happens is for many reasons, if you do not protect your wordpress very well, both in not installing fake themes, etc, etc.
The time it takes for google to remove the misleading site is between 48 to 72 hours.
It's only natural that the attacks will correlate with the user base. Just like windows.
I'm generally pretty careful about what I install, as far as themes and plugins, or I hope I am. I take a minimalistic approach. I figure out what I like and stick with it. I don't really like wordpress all that much but I'm not good enough to match what wordpress can do. I've tried making pages from scratch and I enjoy the design part but moving away from wordpress always seems to cause a sharp drop in traffic, at least for me.
However, this isn't a wordpress discussion so let me reply on topic:
Two to three days seems like an eternity but really it isn't too bad, especially considering the volume that I'm sure google has to deal with. I could wait but I think in 3 days time I can have all my backups restored on a fresh install and not have to worry about what could be lurking underneath.
Having Wordfence is only useful if you've actually given it a good config, and really only a small part of the overall security. Not having daily incremental backups indicates you don't know how to configure or secure a site, so a hack was inevitable.
I'd recommend going through the full WF install, setup and install the WAF, make sure the config is good (things like disabling php in uploads folder, including themes/plugins in scans, enabling scans for folders outside WP, etcetcetc). You should have automated scans enabled as well, so you can be alerted/emailed about issues. WF has extensive security options, but you need to actually configure them to work. Enable the 2FA login, etc
I'd recommend reviewing your server security as well. Immunify360 or ModSecurity can stop a lot of issues before they happen. Check your server firewall. Make sure there's brute force protection enabled.
I'd recommend having a security later at the DNS level as well, as you surely know Cloudflare has a huge suite of tools available to help protect your site, well worth learning about and implementing. As a default, I always add extra security or even consider fully blocking countries where attacks commonly originate like Russia/Ukraine/china. Any ecommerce site I will limit traffic to countries they actually ship/sell to.
The last thing I'd recommend is to hire a professional to investigate your situation. Restoring from backup may clean your site from the infection for now, but it isn't doing anything to find and address the root cause of the vulnerability. Your site might get hacked again within days if the vuln is still present. Someone proficient in security cleanups will have a good chance of success finding the issue so it can be fixed permanently.
Good luck!
You can get the google safe browsing alert removed pretty easily from https://safebrowsing.google.com/safebrowsing/report_error/?hl=en
It would be better to use old backup and reinstall completely instead of trying to salvage current installation
You should check what plugin was responsible for this and remove it, as these attacks are usually automated and it could get hacked again pretty fast if its still there
once you remove the malware just let googlebot crawl your entire site again via GSC.
depending upon the number of pages, it take around 1 to 2 months for status being removed. Sometimes its earlier if your malware affected pages are quite less.