Google Ads disapproved - "Compromised site" / Malicious or unwanted software

What’s actually happening

Your ad flips to Disapproved with a "Compromised site" or "Malicious or unwanted software" reason, sometimes hours after it ran fine. The landing page often looks normal in your own browser. If Google decides the whole site is hacked, every ad pointing at that domain gets disapproved at once, and repeated hits can suspend the account. The disapproval reason links to the Compromised sites policy, not a specific URL.

Common causes

• Hacked WordPress/Magento install injecting JavaScript that redirects to spam, fake pharma, or malware downloads (often only for mobile or non-logged-in visitors)
• A third-party asset the page loads - CDN script, ad tag, chat widget, tracking pixel - that is itself compromised or blocklisted
• Cloaking/sneaky redirects: the crawler from a Google IP or ad-network referrer gets bounced to a different destination than humans see
• A redirect or affiliate link in the click chain passing through a domain you don't control that is flagged
• The domain or an asset host is on Google Safe Browsing's threat list from a prior infection that was never fully cleared

How to fix it

1. Reproduce what the crawler sees, not what you seeFetch the landing URL with a mobile user-agent and a Googlebot/ad user-agent (curl -A or Chrome DevTools device mode), with cookies cleared. Watch the Network tab for unexpected 302s or scripts hitting unknown domains. Conditional malware that only fires for mobile or first-time visitors is the usual reason your desktop browser looks clean.
2. Find and remove the injected code at the sourceScan the full document root and database. In WordPress, check wp_options (siteurl, home), wp_posts for injected <script>, and recently modified PHP files (find . -name '*.php' -mtime -14). Pull eval/base64_decode/obfuscated blobs out of header.php, functions.php, and .htaccess. Run a server-side scanner (Sucuri, ImunifyAV, Wordfence) rather than trusting a browser check.
3. Audit every third-party resource the page loadsList all external script/iframe/img origins. Run each host through Google Safe Browsing's Transparency Report and VirusTotal. Remove or replace any flagged dependency - a compromised CDN or ad tag triggers the same disapproval as your own hacked code.
4. Close the entry point, then rotate credentialsUpdate CMS core, themes, and plugins; delete unknown admin users; rotate all passwords (CMS, FTP/SFTP, hosting panel, DB). Otherwise the reinfection lands before the re-review finishes and you disapprove again.
5. Clear Safe Browsing, then appeal in Google AdsIf the domain is on Safe Browsing, request a review in Search Console's Security Issues report first. Then in Google Ads, appeal the disapproved ads with "Made changes to comply with policy." The crawler re-walks the entire chain - ad, landing page, every loaded asset, and all redirects. Allow up to ~72 hours; if anything is still dirty it gets re-disapproved.