How to Remove McAfee SiteAdvisor Blocklist Warning

Introduction

McAfee SiteAdvisor is one of the top three blocklisting authorities currently issuing security warnings on websites. When a website is blocklisted, it loses 95% of its traffic, on average. Blocklisting can affect how visitors access your website and how it ranks in Search Engine Result Pages (SERPs). Websites that have been scanned and found to possess harmful behavior or content are flagged by a blocklist authority (like McAfee SiteAdvisor), which then removes the site from their index.

Protect Your Site

Contents

Benefits Of Using A Web Application Firewall (WAF)

1

Review Warning Status

1.1 - Identify McAfee SiteAdvisor Website Security Warnings

Your website has been officially blocklisted when the big red splash page is shown. This is designed to stop visitors from accessing it.

If you are seeing security warnings when trying to reach your website, follow this guide to fix these issues and request a review for blocklist removal.

1.2 - Website Malware Warnings

Here is an example of a common malware warning that suggests your hacked website is serving malicious downloads (such as viruses, spyware, rootkits, and ransomware).

Note

Here’s why johnhackedsite.com could be risky. We scanned this site and found that it’s not as secure as it should be. Please click with caution.

1.3 - Scan Your Website for Malware

The very first step is to make sure your site is clean.

You can use our free tool, Sucuri SiteCheck, to scan your site and find malicious payloads, malware locations, security issues, and blocklist status with major authorities.

To scan your website for hacks and blocklist warnings using Sucuri SiteCheck:

  • Visit the Sucuri SiteCheck website and enter your website URL.
  • Click Scan Website.
  • If the site is infected, note any payloads and file locations found by SiteCheck.
  • Click Blocklist Status to see if you’ve been blocklisted by other authorities besides McAfee SiteAdvisor.

 

If SiteCheck is able to find a payload, this can help narrow your search. The following section of this guide will help you manually review your site to look for suspicious elements. You can also use other tools such as UnmaskParasites.

Note

If you have multiple websites on the same server, we recommend scanning all of them. Cross-site contamination is one of the leading causes of reinfections. We encourage every website owner to isolate their hosting and web accounts.

2

Fix Blocklist Symptoms

2.1 - Remove File Infections

To perform complete malware removal, you should be able to edit files on your server. If you are not comfortable with this, enlist professionals to clean your site.

File Replacement: For CMSs such as WordPress or Joomla, you can safely rebuild the site using new copies of your core files and extensions directly from the official repositories. Custom files can be replaced with a recent backup—as long as it’s not infected.

Malicious Domains and Payloads: If SiteCheck or the Diagnostic Page indicate any malicious domains or payloads, then you can start looking for those files on your server. The discovery date can also narrow your search down to files modified around that time frame.

To manually remove a malware infection from your website files:

  • Log into your server via SFTP or SSH.
  • Create a backup of the site before making changes.
  • Search your files for any reference to malicious domains or payloads noted.
  • Identify unfamiliar or recently changed files.
  • Restore suspicious files with copies from the official repository or a clean backup.
  • Replicate any customizations made to your files.
  • Test to verify the site is still operational after changes.

 

Hackers change malicious sites fairly often to avoid detection. As a result, Google’s diagnostic page may mention malicious or intermediary domains that can no longer be found on your site since they have already been replaced with new domains.

If you can’t find the “bad” content, try searching the web for the domain names listed on the diagnostic page. Chances are, someone else has already figured out how those domain names are involved in website exploits.

Caution

Manually removing “malicious” code from your website files can be extremely hazardous. Never perform any actions without a backup. If you’re unsure, please seek assistance from a professional.

Did you know?

The Sucuri Firewall can help block attacks and virtually patch known vulnerabilities.

Learn More

Caution

Do not overwrite your CMS configuration files. On WordPress, this includes wp-config.php file or wp-content. On Joomla, this includes the configuration.php file and customizations.

2.2 - Clean Hacked Database Tables

To remove a malware infection from your website database, use your database admin panel to connect to the database. In cPanel, most hosting companies offer PHPMyAdmin. You can also use tools like Search-Replace-DB or Adminer.

To manually remove a malware infection from your database tables:

  • Log into your database admin panel.
  • Make a backup of the database before making changes.
  • Search for suspicious content (i.e., spammy keywords, links).
  • Open the table that contains suspicious content.
  • Manually remove any suspicious content.
  • Test to verify the site is still operational after changes.
  • Remove any database access tools you may have uploaded.

 

You can also manually search for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc.

Caution

These functions are also used by plugins for legitimate reasons. Be sure to test changes or seek help, so you do not accidentally break your site.

2.3 - Prevent Reinfection

Hackers always leave a way to reenter your site. More often than not, we find multiple backdoors, malicious admin users, and overlooked vulnerabilities.

User Accounts: Don’t overlook user accounts! Stolen passwords are a prime way hackers get back into your site.

To clean up your user accounts:

  • Confirm all website user accounts are valid: CMS users; FTP/SFTP/SSH users; database administration panels (PHPMyAdmin, etc.); cPanel accounts; hosting company logins.
  • Change all passwords for all users.
  • Enable two-factor-authentication (2FA) if it is available.


Hackers change malicious sites fairly often to avoid detection. As a result, Google’s diagnostic page may mention malicious or intermediary domains that can no longer be found on your site since they have already been replaced with new domains.

Caution

These functions can also be used legitimately by plugins, so be sure to test any changes because you could break your site by removing benign functions. The majority of malicious code we see uses some form of encoding to prevent detection. Aside from premium components that use encoding to protect their authentication mechanism, it’s very rare to see encoding in official CMS files.

Often backdoors are embedded in files similarly named to CMS core files but located in the wrong directory. Attackers can also inject backdoors into legitimate files.

Backdoors commonly include the following PHP functions:

  • base64
  • str_rot13
  • gzuncompress
  • eval
  • exec
  • create_function
  • system
  • assert
  • stripslashes
  • preg_replace (with/e/)
  • move_uploaded_file


It is critical that all backdoors are closed in order to successfully clean a website hack, otherwise your site will be reinfected quickly.

Secure Computing: It is possible for infections to jump from a computer to your website by using CMS and file transfer applications. All computers with access to your website should be secure.

Have all users scan their computers with an antivirus program.

Here are some antivirus programs we recommend:


Most browser blocklists use the Google blocklist API. For more information visit the Google help pages.

3

Final Steps

3.1 - Submit Website for Review

This is perhaps the most challenging part we found. Unlike Google and Bing or even Norton, there is no webmaster tools you can log into—at least none that we can find. However, here is the McAfee SiteAdvisor link you need to access.

To request a review of your site on McAfee to remove blocklist:

  • Visit the ticketing service for McAfee SiteAdvisor.
  • Choose McAfee SiteAdvisor/WebControl (Enterprise) from the list.
  • Type in your URL and click Check URL.
  • Review the Reputation and Categorization for your site.
  • Click Submit URL for Review.

3.2 - Protect your Brand

Like most blocklist authorities, it takes three to five business days on average for McAfee SiteAdvisor to remove a website from their blocklist. It can also take longer, depending on the complexity of the hack and length of the ticket queue.

You can track the status of the McAfee SiteAdvisor blocklist review by clicking on “Track URL Ticket Status”.

Remove Spam URLs from Google: If spam pages were removed from your site, they may have been indexed by Google already. The spam pages can create 404 (Not Found) errors when they are removed from your site. You can use the URL Removal Tool to notify Google that these spam pages should be removed from their index.

To remove spam URLs causing 404 errors:

  • Navigate to the Google Index tab in Search Console.
  • Click the Remove URLs section.
  • Click the Temporarily Hide button.
  • Enter the URLs of spam pages that have been removed.
  • Click Continue.

Website Protection: You should also consider taking more steps to harden and protect your site. This includes applying updates, maintaining a good website backup strategy, managing user privileges, and implementing website security controls.

The number of vulnerabilities exploited by attackers grows every day. Trying to keep up is challenging for administrators. Website firewalls were invented to surround your website with a professional defense system.

Caution

This tool removes pages from Google search. This option helps after you have removed spam pages so that Google knows they are not actually part of your site.

Benefits of using a Web Application Firewall (WAF)

  • A website firewall prevents a future hack by detecting and stopping known hacking methods and behaviors. It also keeps your site protected against hacks in the first place.
  • A website firewall updates your website virtually. A website firewall will patch your website holes in your website software even if you haven’t applied security updates. Hackers quickly exploit vulnerabilities in plugins and themes, and unknown ones are always emerging (called zero-days).
  • A website firewall stops unwarranted access and brute-force attacks to guess your password.
  • A website firewall prevents DDoS (Distributed Denial of Service) attacks attempt to overload your server or application resources. A website firewall makes sure your site is available if you are being attacked with a high volume of fake visits.
  • A website firewall optimizes website performance. Most WAFs will offer caching for faster global page speed. This keeps your visitors happy and is proven to lower bounce rates while improving website engagement, conversions, and search engine rankings.

Need help protecting your website?

Get Started Now
Learn More

Remove McAfee Blocklisting FAQ

  • How do I get blocklist removal from McAfee SiteAdvisor?

    If you’ve been blocklisted by McAfee SiteAdvisor you need to quickly get blocklist removal. Depending on your experience and budget, you could do it yourself using a guide like this one, or have a professional do it for you. Either way, it’s important to act as soon as possible. The longer your website is blocklisted, the more damage it can do to your ranking and reputation.

  • What is the difference between a McAfee SiteAdvisor blocklist and a Google blocklist?

    There is very little difference between the McAfee SiteAdvisor blocklist and Google blocklist. If I site gets listed on one, it is very likely it will quickly appear on the anther. The advantage of this for site owners is that the process for fixing blocklist warnings is generally similar between blocklist authorities.

Sucuri Resource Library

Say on top emerging website security threats with our helpful guides, email, courses, and blog content.

Webinar

Learn how to identify issues if you suspect your WordPress site has been hacked.

Email Course

Join our email series as we offer actionable steps and basic security techniques for WordPress site owners.

Report

Based on our data, the three most commonly infected CMS platforms were WordPress, Joomla! and Magento.

Sucuri Logo
Products
Website Firewall Website Security Platform WordPress Security Website Backups Hack Assistance Pricing
Solutions
DDoS Protection Malware Detection Malware Removal Malware Prevention Blacklist Removal SEO Spam Removal
USE CASES
Developers Ecommerce Agency Plans Enterprise Services Bulk Protection Virtual Patching
Support
Knowledge Base SiteCheck Guides Research Labs Report Abuse Status Report
Company
About Sucuri Contact Blog Referral Partners Testimonials
Terms of Use Privacy Policy Do Not Sell My Personal Information Frequently Asked Questions

© 2024 GoDaddy Mediatemple, Inc., d/b/a Sucuri. All rights reserved.

back to top