Domain Flagged for Malware — What to Do First

Updated May 2026 · Threat Intelligence · 6 min read

Table of Contents

What being “flagged” actually means
Investigate immediately
Clean up and request review
Prevent recurrence

When Google Web Risk or AlienVault OTX flags your domain, browsers begin showing red interstitial warnings to your visitors and your traffic collapses within hours. Treat this as a P0 incident.

What being “flagged” actually means

Google Web Risk powers the Safe Browsing warnings shown by Chrome, Firefox, and Safari. AlienVault OTX is a community threat-intelligence feed used by enterprise security tools and email providers. A flag from either means at least one trusted source has reported your domain as hosting malware, phishing, or unwanted software.

Flags aren’t arbitrary — something on your domain (or that was recently on it) triggered detection. The job is to find what, clean it up, and request review.

Investigate immediately

Open Google’s Transparency Report and search your domain. The detail page lists the threat type and last-seen URLs.
In Google Search Console, check Security & Manual Actions → Security issues. Each issue links to example URLs and indicators.
Audit your webroot for files modified recently. Look for obfuscated PHP/JS, unfamiliar files in /uploads/, .htaccess redirects you didn’t set.
Check user-generated-content endpoints (file uploads, comments) for stored XSS or hosted phishing pages.
Scan for compromised admin accounts — rotate all admin credentials and force re-login.

Clean up and request review

Remove or quarantine every malicious file identified. Restore from a clean backup if needed.
Patch the entry vector — outdated CMS, vulnerable plugin, exposed admin endpoint, weak password.
In Google Search Console → Security issues, click “Request review” and describe what you fixed. Reviews typically clear within 24–72 hours.
For OTX, contact OTX support with cleanup evidence; pulses age out automatically too.
Re-scan with GuardHound to confirm — the finding clears once both providers report safe.

Prevent recurrence

Keep CMS core, themes, and plugins updated. Most flags trace to unpatched WordPress / Joomla / Magento.
Use MFA on every admin account.
Run a WAF (Cloudflare, Sucuri) in front of any public CMS.
Subscribe to GuardHound monitoring so you hear about future flags within an hour, not from a customer support ticket.

Run a free scan to find issues like this on your domain

GuardHound checks SSL, DNS, breaches, CVEs, lookalikes, hosting reputation, and more in under 30 seconds.

Start Free Scan →

Frequently Asked Questions

How long until the warning clears for visitors?

Once Google approves your review, the warning is removed within hours. Browser cache may show it for an extra 24 h to specific visitors. OTX pulses age out independently — some take days.

My site is fine — why is it flagged?

Either the flag is stale (something cleaned up days ago is still cached), or you’re sharing infrastructure with a bad neighbor. Read the specific URLs in the Transparency Report. If none reference your content, it’s likely shared-hosting noise.

Should I take the site down?

Only if it’s actively serving malware to visitors. A maintenance page is better than a flagged page — visitors won’t see browser warnings on a static placeholder. Keep the cleanup-and-review work running underneath.