Are you trying to remove the “Deceptive Site Ahead” warning from your WordPress website?
Seeing this warning is alarming for any website owner. Displayed with a red background by search engines, it aims to protect users from potential malware threats believed to be present on your site.
In this post, I’ll explain why the “Deceptive Site Ahead” warning appears and how it affects your site. I’ll also walk you through the steps to remove the warning and keep it from coming back.
Let’s get started.
The meaning of deceptive site ahead warning
The “Deceptive Site Ahead” warning means Google thinks your site might be dangerous for visitors. This warning aims to protect users from potential threats on your site.
Seeing this warning can be surprising, especially if you aren’t running anything shady on your site. So, why is this happening?
There are two main reasons Google might flag your site with this warning:
- Your site is infected with malware.
- Your SSL certificate is incorrectly installed.
In this article, I’ll show you how to identify and fix the problem with your website.
And you really shouldn’t ignore it. If you do, you’re facing all kinds of problems. Chief of them: your SEO rankings can drop and organic traffic decline, as a result, you can lose revenue and create a negative impact on your brand value. In some serious cases, you can even have your web host suspend your account or your email provider blacklist you.
Fixing the “deceptive site ahead” warning
Note: Before we begin, take a back up of your entire website. The solutions we offer involve installing a new plugin or accessing WordPress files and folders. Both activities are risky. In case things go south, you’d have a backup to fall back on.
1. Install your SSL certificate correctly
Google has made it mandatory to have an SSL certificate installed on every website. But simply getting the certificate is not enough. You need to migrate every single page of your site from HTTP to HTTPS.
This is easily done on a small website with a dozen or two pages. But it’s a real challenge with large websites where some pages migrate to HTTPS and others don’t. Google calls it a mixed content error. Luckily, it’s a common error and can be fixed in a jiffy.
Step 1: Open WhyNoPadlock or Jitbit and insert the URL of your website. It should determine if your website has mixed content issues.
You can also do a manual check. Here’s how:
Go to your homepage, right-click and choose Inspect from the menu.
A window pops up below or on the side of your screen. Go to Console. You should see a warning for the mixed content error.
Step 2: To fix the mixed content issue, you need to install and activate a plugin called Really Simple SSL. It’s a free plugin.
Install the plugin on your website and it’ll automatically detect the SSL certificate installed on your website. Then, it’ll ask you to activate that certificate. You just need to hit the Activate SSL button.
The plugin will ensure that the certificate is properly installed and activated on your website. Behind the scenes, it looks for all URLs being served over HTTP and redirects them to HTTPS.
When that’s done, the plugin shows that the certificate has been properly installed and all mixed content issues have been taken care of.
If the “deceptive site ahead” warning is not gone, then you’re most likely facing a hack.
2. Check for a website hack and get rid of it
If you didn’t find any “SSL mixed content” issues, the most likely cause of the “Deceptive Site Ahead” warning is a malware infection due to a website hack.
Websites can be hacked because of vulnerable themes and plugins, weak usernames and passwords, and hosting issues.
To check if your website is hacked and infected with malware, you’ll need a WordPress security plugin like MalCare, Sucuri, or Wordfence.
Install the plugin on your website and start a scan. Depending on the size of your site, the scan might take a few minutes. Once it’s complete, the plugin will inform you if it found malware on your website.
👉 Need help picking your security plugin?
Here’s how to do these scans step-by-step with each plugin:
Sucuri
Install the plugin on your website. Then go to the plugin’s dashboard and Generate an API Key to activate features like server-level scans and malware clean up.
Next, head to Sucuri Security → Dashboard → Refresh Malware Scan. The plugin should have scanned your website as soon as it was installed, but the initial scan was a surface-level HTML scan which generally fails to find complex and remote malware infections.
After the server-level scan is complete, it shows you malicious files found on your site. Select the files and choose Delete File.
This initiates the malware removal process. Before long, your website will be clean.
Wordfence
Activate Wordfence on your website. It asks you to enter your email address and the premium key. Without the key, you can’t clean the malware infections – you can just identify them.
Go to your dashboard and navigate to Wordfence → Scan → Start New Scan. It should take the plugin a few minutes to run a complete scan. In the end, you will have a list of malicious files that you need to remove immediately. Just hit the Delete File button. That’s it. The malicious file is gone for good.
👉 Further reading: how to protect your site with Wordfence.
MalCare
Install and activate MalCare on your website. Go to your dashboard and select MalCare from the left-hand menu. Add your email address; the plugin will start scanning your website.
The initial scan takes a while because the plugin is taking a backup of your site onto its own server before running the scan. It prevents overburdening your server.
When the scan is complete, the plugin will notify you about the malicious files found on your website. To remove those files, click the Auto-Clean button. Within a few minutes, your site should be as good as new.
Manual malware removal
Unlike a plugin, manual scanning is neither straightforward nor quick. Here’s a peek into all the steps you need to take. However, before I show you the list, you need to understand that this is just a general look at the issue, and you might have to do a lot more digging to remove malware from your site effectively.
- First, access the backend of your website, open the root folder to look for recently modified files
- Following identification, download the original versions of these files from the WordPress repository, and replace them on your server
- Now scan custom files (i.e. files unavailable in the repository) for suspicious codes
- As much as possible, clean those files and remove any unwanted code
- Clean the database tables or restore them to their original structures
Even after all this effort, there is still no guarantee that your website will be completely clean and remain operational. Frankly, we are not security experts. That’s why we strongly recommend that you follow this guide by Sucuri Security for manual cleanups.
Request Google to remove the warning
After fixing your website, it’s time to ask Google to recrawl it and remove the “Deceptive Site Ahead” warning.
While Google will eventually recrawl your site on its own, it’s better to initiate the recrawl rather than waiting for Google to notice the changes.
Open Google Search Console. Go to Security Issues.
Search Console should have picked up that malware infection before so don’t panic when you see any infection warnings on your Console dashboard.
Just click on Request Review and on the next page, describe all the steps you took to clean the website and remove the root cause of the hack. Hit Submit Request.
It takes Google up to 72 hours to verify and remove the warning.
Some of you may not have added your website to Google Search Console. In that case, go to your AdWords account and request a review through the AdWords support center. If you don’t have that either, then just add your website to Google Search Console and wait for Console to start crawling your website. It should remove the warning within a week or two.
How to prevent future warnings
Removing the “deceptive site ahead warning” might not be enough if it was caused by a hack. You must future-proof the site.
1. Install a security plugin
Websites can be re-hacked. To prevent that from happening, we recommend using a security plugin that offers the following features: firewall, daily scanning, detection of vulnerable plugins and themes, and monitoring of user activities.
- The firewall filters traffic and prevents bad traffic from accessing the website.
- Detection of vulnerable WordPress core, plugins, and themes reminds you to update them before hackers have a chance to use them to gain access to your website.
- Monitoring user activities helps detect malicious users. And daily scanning ensures malware infections are instantly recognized so that you can get your website cleaned immediately.
You’re good off just picking any of the plugins you used above for cleaning up the hack. All of them will help you avoid similar problems in the future.
2. Keep your website updated
Vulnerable software, especially plugins and themes, are responsible for most website hacks. You can avoid hacks by keeping plugins, themes, and the WordPress core updated.
Developers release updates when they find vulnerabilities in their software. By updating regularly, you ensure that your website runs the most secure version of the software.
Installing a security plugin helps by notifying you whenever the WordPress core, plugins, or themes have an update available. However, you still need to take action and perform the updates yourself.
3. Use strong usernames and passwords
Besides using vulnerable software, hackers also target weak usernames and passwords.
They open your login page and try combinations of common and guessable usernames and passwords to gain unauthorized access.
Weak usernames are those like “admin,” “administrator,” “user1,” “user2,” or author names displayed on your site.
Weak passwords are common ones like “123456,” “password,” “qwerty,” “admin123,” “abcd1234,” “111111,” or those based on easily discoverable details like your name, birthdate, or address.
👉 Here’s a guide on how to check how secure your password really is.
You can create strong usernames and passwords by using a combination of uppercase and lowercase letters, numbers, and special characters. Make sure they are unique and not related to personal information or easily guessable details.
4. Protect the login page
The default login page URLs for WordPress websites are https://example.com/wp-admin
or https://example.com/wp-login.php
.
Since the URLs are common for all WordPress websites, hackers can easily open your login page and try brute forcing into your website.
Consider changing the login URL to something else, something that would be hard to guess.
5. Switch to secure hosting
Hackers also target web servers of hosting companies.
Keeping web servers secure involves regular updates, data transmission encryption, security audits, vulnerability assessments, and backup and disaster recovery plans, among other measures.
Not all hosting companies can afford to implement these measures.
You can evaluate your hosting provider’s security by making a list of best hosting practices and then comparing your provider against those criteria.
If you don’t want to go through this time-consuming process, consider switching to a better hosting company that ensures your website is hosted on secure web servers.
Conclusion on the deceptive site ahead warning
The “Deceptive Site Ahead” warning usually appears when your website is hacked or your SSL certificate is improperly installed.
To remove the warning, clean the hacked website or reinstall your SSL certificate, then request Google to crawl your site and remove the warning. It can take Google a few days to respond.
Once the warning is gone, follow these steps to prevent future hacks:
- Install a security plugin.
- Keep your site always updated.
- Use a strong username and password.
- Protect the login page.
- Switch to a secure hosting provider.
That’s all for this one, folks! We hope you found this guide helpful. Let us know if you have any questions on how to get rid of this warning.
Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!