"The site ahead contains malware" Safe Browsing block

What’s actually happening

This is the malware variant, not the phishing one. The phishing warning means Google thinks your page tricks people; this one means Google found code that infects them — injected JavaScript, a drive-by download, or a redirect to a malware payload. The wording on the interstitial is the tell: it talks about "dangerous programs" rather than "revealing your personal information." The fix path is the same shape as phishing but the cleanup target is different, and you submit a malware review rather than a social-engineering one.

Common causes

• Injected JavaScript appended to legitimate .js or PHP files — often base64-encoded or obfuscated — that loads a payload from an attacker's server
• A compromised plugin or theme with a known upload/RCE vulnerability that let an attacker write files
• A drive-by download or malicious ad/redirect served through a hacked ad slot or a poisoned third-party script
• A malicious file sitting in /uploads or a fake plugin folder that the site links to or serves
• Outdated CMS core or an abandoned plugin that has not had a security update in months

How to fix it

1. Confirm it in Search Console and the transparency reportSearch Console -> Security issues will say "Malware" or "Harmful downloads" and list sample URLs. Enter the domain at transparencyreport.google.com/safe-browsing/search to see Google's current verdict. That tells you whether you are dealing with hosted malware, an injected script, or a flagged download.
2. Locate and remove the malicious filesDiff your core files against a clean copy of the same version — anything that differs is suspect. Run `find . -name '*.php' -mtime -14` and `grep -rEl 'eval\(|base64_decode|gzinflate|fromCharCode' .` over the webroot to surface injected code. Check the database (wp_posts, wp_options) for injected `<script>` tags. Delete the payload and the backdoor that wrote it.
3. Update or replace the compromised plugin/themeIf the entry point was a vulnerable plugin or theme, update it to a patched version or remove it entirely and find a maintained alternative. Reinstall WordPress core from a fresh download rather than trusting the existing files. Replace, do not just deactivate, anything you cannot verify as clean.
4. Rotate credentials and rescanReset admin, database, FTP/SFTP, hosting panel, and API credentials. Run a server-side scanner (not just a remote one) to confirm nothing is left. Remote scanners miss files that only serve to logged-out visitors or specific user agents.
5. Submit a malware reviewIn Security issues, expand the malware entry and Request Review. Malware reviews usually clear faster than phishing ones — often within a day — but only if the site is actually clean. A failed review costs you days, so verify first.