How to remove a Google block for WordPress sites

If Google has flagged your WordPress site as dangerous or as a reported attack site, you will need to clean the installation and then request a manual review. The steps below walk you through the process.

1. Update all plugins and themes

Update every plugin and theme to its latest version. Remove any older, unused versions before updating to avoid leaving vulnerable files behind.

2. Check for outdated TimThumb

Make sure none of your themes or plugins use an old version of the TimThumb image-resizing script, which has well-known security vulnerabilities. If a TimThumb cache directory exists, clear it.

3. Reinstall WordPress

Even if WordPress appears to be up to date, run the upgrade process again. This replaces all core files with clean copies, which removes any modified or injected files that may have been planted by an attacker.

4. Scan for malicious code

Search your installation for common signs of injected malware. If you have SSH access, run the following commands from your WordPress root directory.

Check for base64_decode wrapped in eval():

grep -r base64_decode *

Check for hex-encoded JavaScript:

grep -rP "(?:\\x[A-F0-9]{2}){5}" *

You can also use the malware scanning tools available in your hosting account - Imunify360 and Patchman can detect and flag infected files automatically.

5. Fix directory permissions

Check that no directories are set to world-writable 777 permissions. Directories should normally be set to 755 and files to 644.

6. Request a Google review

Once your site is clean, submit it for a manual review through Google Search Console. You will need to verify ownership of your site if you have not already done so. Google's guidance on requesting a malware review is available in the Search Console Help documentation.

7. Allow time for the review

The review process typically takes around 24 hours after submission. Google will notify you of the outcome via Search Console.