I’m a solo founder and really struggling to get Google Ads running for my website. My site always gets flagged as Compromised Site and Malicious Software, even though I’ve done several checks that shows it’s clean. Even Google’s own Safe Browsing shows it as clean.
Their latest feedback after appealing suggests I change from a .co.uk to .com to resolve the issue which seems like complete nonsense.
Does anyone have any suggestions on how I can fix this? All of my competitors are running ads and it’s extremely frustrating as a solo founder that I am unable to do so.
Will post my website on request as I’m not sure if I’m allowed to post it.
If I'm correct, changing your domain might help in that machine learning algorithms consume tons of signals and maybe altering that particular one would push your site under the "bad" threshold. But it might not do anything. It's a super frustrating problem. I hope you can stumble onto a solution or find someone at Google willing to help.
It doesn’t work. These automated systems are flagging a (presumably) benign site and an article yesterday regarding their $5M lawsuit for running a scam ad on their SERP for “Coinbase support” suggest the automated systems can be bypassed too.
I’m not saying automated detection can’t be a part of it, but we shouldn’t accept companies automating away decision making as if computer-derived errors are acceptable.
The larger point is that Google isn’t exactly strapped for cash. They could hire an army of reviewers. They just don’t.
> They could hire an army of reviewers. They just don’t.
They may actually do that too, but perhaps there are thresholds that must be met for something to reach a reviewer. I have some sympathy for Google here as I work on email security in a high-volume environment. ML is one tool in the box, and human reviewers are another. Everything is a tradeoff between resources, false positives, and false negatives.
At least my organization's customers can contact support if something is going wrong, but for people trying to legitimately use Google Ads, it can be an extremely frustrating situation of shouting into the void. (And getting boilerplate support answers back from the void.)
Tons of Google products are going haywire right now and it’s clear nobody at the Monopoly money machine is at the wheel or even cares.
Google search console was down for multiple days recently. If you check your Gmail spam folder, you’ll see lots of legitimate emails in there from the past few weeks. Google My Business profiles have been disallowing legitimate profile pictures for months. I could go on.
I'm checking web.archive.org and it all looks pretty innocent so far apart from the domain for sale pages that started around 2011
If it is, then they should say what they mean instead.
What I did to fix this was to migrate my landing pages to a new domain. (I believe migrating my landing pages to a different subdomain on the same domain would also work, but I haven't tested this.)
You don't need to run traffic to your full website. All you need is a marketing website to run traffic to. That marketing website doesn't even need database integration, so you can put that marketing website on a totally different server.
So to fix this issue, I wouldn't try to fix it. I'd just create a marketing website somewhere else and direct traffic to that.
[0] https://news.ycombinator.com/item?id=40431126 "Show HN: Pls Fix – Hire big tech employees to appeal account suspensions (plsfix.co)"
1. See if VirusTotal lists your site (including subdomains, app.domain and www.domain, etc): https://www.virustotal.com/gui/home/url
If wrongly flagged, reach out to each security vendor manually - takes about 3-5 days to get them to rescan manually and remove any flags.
2. Check for any dodgy javascript libraries you might inadvertently be using. Specifically, just remove all non-relevant JS until you get approved, then you can slowly add them back in if really needed.
Super frustrating that Google has this much power, and totally ridiculous they want you to switch to .com (pretty sure that's an outsourced CS worker giving you a random suggestion).
On a related note, one interesting thing I did discover, due to a small misconfiguration of NextJS + App Router, I was getting two </html> closing tags in my markup, which https://sitecheck.sucuri.net/ was flagging as potential site compromise, I guess because a site with malware injecting unwanted scripts could cause broken markup as a common side effect? Anyway I long since fixed that and it hasn't made a difference.
I would keep pushing back on that, there is no way that you need to move to another TLD.
They say that the site is "compromised and has malicious software", I bet it's actually something else, like a site that you're linking out to that's compromised and malicious--that's happened quite a bit in cases where sites are flagged like this in Google Ads.
The web isn't as well woven as it used to be. They'll just harm a bunch of innocent people, not numerous enough for the public at large to even notice.
A friend's gym, freedomfit.us, a now two year old domain that SSLTrust.com.au lists as clean still seems to hit issues with some people. They moved to another domain, ff-wp.com on another hoster but that didn't help their issues with some people that still can't access it. That makes me wonder if associativity by content is viral to the new domains - from a malware-spreading perspective that would of course make sense but I could imagine this doing more harm than good.
If anyone has insights on best ways to establish trust new domains/startups, I'm sure the crowd would appreciate your time and insights. What I'm doing so far, is trying to manually categorize/list the URLs with the dominant firewall/antivirus vendors, but it's a lengthy manual process and I'm not sure of the benefits either.