Plexcel Info Systems Private Limited

Have you ever encountered “Deceptive Site Ahead” situation?

 

Yes, we did and we resolved it too…

What is “Deceptive site ahead” issue?

“Deceptive site ahead” is a strong warning when the user opens a website with malicious code. Most of the cases it is an authentic, red alert, that warns the user to refrain from the potential risks of visiting subsequent pages of the site. 

You should be all the more concerned in case your website is throwing up this issue.

First things first, do not panic.

If you are currently witnessing the “Deceptive Site Ahead” pop-up alert, do not bypass it, otherwise you can put your privacy and security at risk by entering a site with malicious code or malware-infected domain.
This blog outlines the scenario we encountered and the steps for its resolution.

Scenario: Last year we launched a WordPress® website for one of our clients. This site is gaining popularity across the globe.

The first notification about this situation was received last week from our hosting services provider about the phishing activity on the website. The site was affected. Suggestion to us was to scan all files on the site to identify and remove infected files.

The affected site was suspended by our hosting services provider and it was down. This was the first time we came across such an issue.

 

Steps we took to resolve this issue:

Step 1: Upon checking thru the cPanel, all files were removed except for a few. There were few new files with .php extension. While backing up, the system alerted about the threat. Without any other option, we had to delete all files of the affected site on the hosting server.

As always, we have been diligent to have a backup of the site available locally with us. These files were uploaded on the hosting server.

Step 2: With above, the site was active but with the alert about “Deceptive Site Ahead” prevailed. It warns the site visitor about a risk upon accessing the infected domain. Thus no one would risk the implications of visiting such a site. 

We found a resolution to get rid of “deceptive site ahead” message and came to know that, this message was created by Google Safe Browsing® services in order to protect Internet users from unsafe online content. 

We started troubleshooting the issue over multiple browsers. The site was working fine on all browsers except Google Chrome®and Mozilla Firefox®.

This was resolved with the following approach

Step3: Visited Google webmaster using the link “https://www.google.com/webmasters/#?modal_active=none” and in search console, submitted the domain name/URL of this deceptive site.

 

Step4: Another pop-up window shows Verify domain ownership via DNS record. This provided a verification code. Added this verification code in the TXT record into DNS configuration.

If you don’t know how to add this, you can reach out to your domain/hosting provider for support on the same.

 

Step5: After clicking on Verify, we still got some error and google search console showed “Ownership verification failed”.

We tried to verify for two days but still, the deceptive site message was visible on Google Chrome browser.

 

Step 6: We looked for few plugin’s for detecting malware and we installed Sucuri security plugin on WordPress. There are other plugin’s also available. With this, we could identify a new plugin called Sketch which was installed automatically in wp-content/themes folder. As we were sure that it was not installed by us, we deleted this plug-in.

Step7: After deleting the plugin, we re-verified with google webmaster. It took about 12-14 hours for the verification cycle to complete.

 

We were done with DNS verification and the issue was resolved. Now when we browse the website, we can see the landing page.

I hope this article will be a useful example of resolving “Deceptive site ahead” issue.

Stay tuned to read many such useful articles.

One Comment

  1. Uday said:

    Good article

    September 9, 2019
    Reply

Leave a Reply to Uday Cancel reply

Your email address will not be published. Required fields are marked *