Most responsible website owners would never dream of creating phishing pages. Google actively searches the web for potential phishing site and flags sites thought to host malicious pages. Some site owners wake up to a message in search that their site is flagged as a phishing portal. Honest site owners don’t know what’s considered phishing site, so they panic and immediately try to have the site reviewed. Having your site flagged isn’t the end of the world, but you do need to clean up pages before you can have a successful review. A successful review removes the warning from Google search results, so it’s in imperative that you act fast. Here are the why, how, and what you can do to fix a phishing flag placed on your site.
Understand What Constitutes Phishing
You might not even know that your pages are considered phishing site portals. The first thing to ask yourself is what pages could be considered phishing site. The first red flag is a site that doesn’t use SSL or TLS on their web server but retrieves personal data. SSL (and now the newer TLS) are certificates you install on your web server. The certificates allow you to provide encryption between your site and client’s browser. SSL certificates provide your site with the ability to use HTTPS as the protocol, which protects against eavesdroppers.
Go through your pages and identify if any of them ask for personal information. If a user lands on your page using HTTP, he should be redirected to the HTTPS version of the page before entering private information.
Another possibility is how you process data. When you submit data from a web page form, it sends data either in a form POST or GET action. The GET action sends data in the browser’s querystring values. You’ve probably seen web pages with a question mark and variables appended at the end of the page name. Querystring values look like the following:
The querystring is everything after the question mark. In this example, a user’s first and last name is passed to a processing page. What if the querystring contained a social security or bank account number? This is considered insecure. When hackers use phishing site methods, they are generally sloppy in how they set up pages. For this reason, poorly secured or programmed sites are considered suspicious and flagged.
Another common and much more difficult problem to identify is a hacked site. Hackers who gain access to your site place phishing pages on the domain without your knowledge. This makes it much more difficult to track and identify the phishing page.
You can use a crawler that looks specifically for hacked content. For instance, AWSnap (aw-snap.info/file-viewer/) is one site that crawls specific pages, identifies any suspicious code and gives you suggestions. Another tool is Securi.net. This tool also lets you subscribe for a fee and use it to automatically crawl your site at a specific rate. If any suspicious files are found, Securi sends you a notification.
If you can’t find the hacked pages, you’ll need to hire a professional. Google won’t remove the warning until any phishing site content is removed from your domain.
In rare occasions, your site might be incorrectly flagged. If this is the case, you can request a review and explain. Google also provides this URL for reporting incorrectly flagged sites:
You should also know that Google has different levels for warnings. The most common form of a phishing site notification is “Deceptive site ahead.” The message is displayed in the Chrome and Firefox browsers. If Google believes you host malware, the warning indicates that a site could harm a computer or contains malware.
What Can You Do to Fix the Site?
What you do to fix your site depends on what caused the phishing site notice in the first place. If you take personal information with no encryption, you need to purchases an SSL/TLS certificate. Contact your host first. Most hosts offer a security certificate for their customers. It could be a free or paid upgrade depending on your hosting plan.
Once you install the certificate, you need to redirect your pages to the HTTPS version. You use a 301 redirect for moving from the HTTP to the HTTPS version. If you use WordPress, there are plenty of plugins that help you redirect. If you have custom applications, check with your developer. You don’t need to use HTTPS on all pages, but it’s recommended. Google announced that it uses encryption as a minor ranking factor.
If you’re using a GET form action, this is more difficult to fix if you aren’t a coder. You need to change the form submission process, which takes some coding from your end. If the forms you use are from a plugin, you can either contact the plugin coder or use a different plugin. If you hired a coder to implement forms, he needs to change the submission code. The processing page can remain mostly the same.
Finally, if the site is hacked, it’s also difficult to troubleshoot. However, with hacked sites you can usually disable the plugin causing the security breach and delete the malicious pages. To avoid the situation, always upgrade your WordPress version and any plugins. Don’t download plugins where the owner does not manage and support updates. Most plugins must be updated after a few WordPress updates, and WordPress disables incompatible plugins.
Request a Review
After you’re confident that the phishing pages were removed and any hacks were deleted, you can now request a review. The review process happens through Google Search Console (formerly Webmaster Tools). If you haven’t already signed up, take some time to sign up and register your site in Search Console.
In the Malware section of Search Console, click the “Request a Review” button. Explain what you did to fix the site in the text boxes. Google employees review the site and the review requests, so be as detailed as possible with what you did to remove the content.
Google is very fast with malware reviews (as opposed to their reconsideration requests that can take weeks). The alert should be removed within 24 hours, but it usually happens in only a few hours.
What You Can Do to Protect Your Site?
If your site was hacked, you must take precautions from it happening again. Change your site’s passwords, and update any WordPress plugins. If the hackers were able to access your site’s files, check your local computer for any security holes.
Chrome extensions are one way a hacker can gain access to your passwords. Malicious extensions can perform numerous logging events to get your information.
Finally, always rotate passwords for important applications such as FTP used to connect to your host. Keep antivirus running on your machine, and always update definition files to avoid being a victim to new viruses.
Utilizing your web hosting provider for help and security is a great first place to start.
Once you have a hacked site, you never want to go through the trouble again. It’s a good lesson for webmasters who aren’t serious about security. There are numerous scripts that can be downloaded on the Internet, so penetrating WordPress sites doesn’t even require advanced capabilities. Always upgrade your plugins and WordPress version to avoid falling victim to these scripts.
Thankfully, Google is quick to remove the warning provided you cleaned up the phishing pages. Your customer’s data and privacy should always be a top concern, so always follow best practices for your websites.
EACdirectory web hosting customers can always utilize our support department to help resolve any issues. We would be happy to provide you with more information on how to resolve this kind of issue.