E:LAB
← Services
← All guides
7 min read

Recovering from a Google Safe Browsing block (Search Console review)

By Yang Kyoungchan

Get listed in Safe Browsing and you disappear from search results — and Chrome / Firefox / Safari throw a red warning. Cleanup → Search Console review request → typical 7–14 day recovery, step by step.

  • Safe Browsing
  • Recovery
  • Search Console

A Google Safe Browsing listing is the strongest signal a site can receive. You vanish from search, and Chrome, Firefox, and Safari all block visitors with a full-screen red warning. This guide walks through the exact steps from getting listed to being delisted — usually within 7-14 days.

Step 0 — Confirm the listing

First, make sure your site is actually listed.

  • On the Google Safe Browsing site status page, enter your domain. If you see something like "Some pages on this website install malware on visitors' computers," you're listed.
  • In Google Search Console, the left-side menu under Security & Manual Actions → Security issues will show the type of breach (Hacked: Code Injection, Malware, Social Engineering, etc.)

Step 1 — Identify the root cause

This is the step people skip most often. If you don't find the cause and just clean the pages, you'll get relisted within days of any successful reconsideration. Triage order:

  1. Compromised admin accounts: check last login time and IP for every admin account. If there's a login from an unfamiliar IP, audit everything that account changed.
  2. Vulnerable plugins or themes: check every WordPress/CMS plugin and theme version against vulnerability databases (WPScan, OSV.dev).
  3. Exposed secrets: check .env, wp-config.php.bak, sourcemaps, and JS bundles for key patterns.
  4. Webshells: search recently modified PHP/JS files for patterns like eval(, base64_decode(, and system(.

Step 2 — Clean up the breach

  • Diff every file added or modified after the breach against your backup and restore the clean version.
  • Delete spam users and spam content rows added to the DB (wp_users, wp_posts, etc.).
  • Pull the list of newly indexed spam URLs from Search Console under Indexing → Pages.
  • Submit those URLs in bulk via Indexing → Removals → Temporary removal.

Step 3 — Prevent re-compromise

During reconsideration, Google looks at "what did you change so this won't happen again?" Do all of the following:

  • Force-rotate all user passwords and require 2FA
  • Revoke and reissue all API keys and DB credentials
  • Fully patch plugins, CMS, and server OS
  • Move admin pages behind an IP allowlist or VPN
  • Deploy a WAF and fail2ban (Cloudflare's free plan is enough)

Step 4 — Request a Search Console review

  1. Google Search Console → Security & Manual Actions → Security issues
  2. Check the "I have fixed these issues" box → click Request review
  3. In the request form, write the following precisely:
    • The root cause (e.g., "a vulnerability in an outdated contact form plugin")
    • The list of files and pages you removed
    • What you did to prevent recurrence (the items in Step 3)
  4. After submission, the review result email typically arrives within 7-14 days.

Step 5 — Monitor after delisting

Even after delisting, check daily that the same breach isn't recurring:

  • Run daily automated scans for .env exposure, admin pages, and malware signatures (Security:Lab's scheduled scans can automate this)
  • Keep Search Console email alerts on
  • Periodically check the Web Risk API or the Safe Browsing status page

The best way to never go through this again

The listing-to-recovery cycle is 7-14 days, but traffic, revenue, and domain reputation take much longer to come back. Preventing the listing from ever happening is 100x cheaper. The checklist in Step 1 should be part of your regular baseline scan.

← Back to all guides