What To Do When Your Website Is Flagged Unsafe by Anti-Virus Software

Discovering that your website has been flagged as unsafe by tools such as AVG Antivirus and Avast Antivirus software tools can create quite a sense of panic. That’s because the error that you see in the browser is essentially telling your prospective customers that your website is unsafe!

You might have been told by a customer or two that your website is unsafe, and you’ve had a panicked conversation with your web developer about how to fix it. In this guide, we’ll share the practical steps you can take to check that your website really is safe, how to go about fixing it if there is a problem, and how to get your website removed from the unsafe list by the antivirus applications.


Checking if your website is really unsafe (or not)

Malware (bad software), spam and hacks - what's the difference?

Hacks – This term refers to when someone gains unauthorised access to your website, often causing damage. This damage can be to remove your website, add malicious software to your website, or to add spammy content to your site.

Malware – this simply means ‘bad software’, and usually refers to software that allows an attacker to change anything on your website at any point in the future (this particular type of malware is called a ‘backdoor’).

Spam – any content on your website (including links) that you have not chosen to put on the website that’s designed to give the attacker a search engine ranking benefit, or visitors to their website/webpage.

Firstly, we need to make sure that your website is safe by scanning it for malware (bad software), spam and hacks. These are the elements that would cause antivirus applications to flag your website as being unsafe. There are several tools that we can use to do this. I suggest you use all of them to check your website.


1. Check your website on Google Safe Browsing Status Tool (Free)

The Google Safe Browsing Status Tool will check Google’s own database from crawl data to see if your website has been flagged for issues. ‘Crawl data’ is the information that Google gathers when it’s automated software tools examines your website for search engine ranking purposes.



2. Check your website on VirusTotal (Free)

The VirusTotal tool will check several malware and spam lists to see if your website is mentioned on any of them.



3. Check your website on Sucuri (Free)

The Sucuri tool will do a surface-level scan of your website looking for malware. They do have a deep scanner tool* that’s a paid extra, along with a service where they’ll clean up the problem for you too.



Found Problems? Here’s how you resolve them…

If your scanning has discovered that there are problems, then we need to get those fixed quickly. In truth, there are a wide range of steps that you can take to resolve issues. Here’s a list which is roughly in the order that you should tackle them.

For WordPress-based Websites

  1. Speak with your hosting company to do a malware clean up for you. Depending on who you use (e.g. WP Engine, Kinsta, FlyWheel, Siteground) – they may do this free of charge.
  2. Your web developer or web agency may have extensive experience with cleaning up malware, so it’s always worth asking them.
  3. You can sign up to a paid-for account with Sucuri* and they can clean up the malware and configure the website firewall for you to reduce problems in the future.
  4. Restore the website from a known clean backup, then update everything (and back it up again).
  5. You can find a malware specialist to clean up your website on PeoplePerHour.


For non WordPress-based Websites (Wix, Squarespace, etc)

  • Speak with your hosting support to check your website and help you resolve problems. It’s very unlikely to have problems with an application-based website such as Wix or Squarespace, but you’d want to talk to support if there was an issue.


For Custom Applications (non-WordPress)

  • Your web developer or web agency should be your first port of call, as your hosting provider is unlikely to help you with custom applications.


No Problems? Here’s how you report a false positive…

A ‘false positive‘ means that your website has incorrectly (i.e. falsely) shown up to have a problem. That’s where we need to let the antivirus companies know about the issue.

Please Note: Each antivirus company has their own policy and working times to review false positives. It might take days so you need to report your website as quickly as possible.



Whilst having your website flagged feels frustrating and you’ll feel some panic, try to be patient and work through the steps above. It can and will get resolved eventually!