A red "Deceptive site ahead" warning in Chrome (and Firefox, and Safari) is the second-worst thing that can happen to a website. The first is a hack with no backup. The second is the warning that follows it.
The good news: clearing the warning is a well-defined process. The bad news: you have to do every step or it will not work.
Step 1: confirm the site is actually clean
Submitting a clean-up review on a still-infected site fails in the worst way — Google extends the warning by another 30 days. Before you do anything else, run two independent malware scanners. Wordfence and Sucuri both have free scan tools. If either flags anything, fix it before going further.
Step 2: verify ownership in Google Search Console
If your site was already in Search Console you are halfway there. If not, add it now and verify ownership. Google sends security warnings, blacklist notifications, and clean-up confirmations through Search Console — without it, you are flying blind.
Step 3: open Security Issues in Search Console
Inside Search Console, go to "Security & Manual Actions" → "Security Issues." Google lists exactly which URLs were flagged and what type of issue (malware, phishing, deceptive content, harmful downloads, etc.). The list is the cleaning checklist.
Step 4: clean every flagged URL
For each flagged URL, find what was injected. Common patterns:
- Pharmacy spam pages — usually injected as static HTML files in random folders, or as draft WordPress posts that have been switched to published. Find them via the file system or via Search Console's URL list.
- JavaScript redirects — usually injected into theme files (
header.php,footer.php) or intowp_options. Replace theme files from clean source. - Backdoors in uploads — PHP files in
wp-content/uploads/that should not exist. Delete and replace WordPress core.
Step 5: re-scan with the same tools
Run Wordfence and Sucuri (or whatever you used in step 1) again. If they are clean, you are ready for the review request.
Step 6: request a review in Search Console
Same Security Issues page. Click "Request Review." Briefly describe what you found and what you cleaned — Google's reviewer reads this. Do not be vague. "We found pharmacy spam pages injected into wp-content/uploads, deleted them, replaced WordPress core, and rotated all admin passwords" gets a faster turnaround than "we cleaned the site."
Step 7: wait 24–72 hours
Most reviews complete within 24 hours. Some take up to 72. If yours is taking longer, double-check that nothing got re-flagged after submission.
What goes wrong
- Re-infection during the review. Whatever attacker found you the first time is still scanning. If you did not patch the vulnerability that let them in, they walk back in within hours.
- Cached content. If you use a CDN or aggressive caching, flagged URLs might still be served from cache after you cleaned the origin. Purge everything.
- Stale Search Console data. Sometimes the dashboard takes a day to reflect the cleaning. The review process runs on real-time scans, not the dashboard view.
If the warning stays after 72 hours, your site still has something Google's scanners can see. Time to dig deeper or call someone who has done this before.