How To Fix “This Site Ahead Contains Harmful Programs” WordPress

Before you touch anything, take a backup — even of the infected version. You may need to reference the infected files to understand what changed.

Options for backing up:

• Backup plugin: If you can still access your WordPress dashboard, install a plugin like UpdraftPlus or BackWPup, run a full backup, and download the zip file to your computer.
• Via your hosting control panel: Most hosts (cPanel, Plesk, etc.) offer a one-click backup in your hosting dashboard. This captures both files and database.
• Via FTP: Connect with FileZilla, download your entire wp-content/ directory and your wp-config.php file locally. Also export your database via phpMyAdmin in cPanel.

Store the backup somewhere offline — an external hard drive or a cloud folder separate from your site. Do not open any infected PHP files on your computer unless you know what you’re doing.

The “harmful programs” warning means malicious code is somewhere in your site’s files or database. Finding and removing it is the most important step.

Option A: Restore from a clean backup

If you have a backup from before the infection, restore it immediately. This is the fastest and most reliable fix. Then change all passwords (WordPress admin, FTP, database, hosting) and update every plugin and theme before going live again.

Option B: Scan and clean manually (if no clean backup)

1. Run a malware scanner. Install the Wordfence Security plugin (free version is effective). Run a full scan from Wordfence > Scan. It will flag any modified or infected files.
2. Check wp-content/uploads/ for PHP files. Malicious PHP files hidden in the uploads folder are one of the most common attack vectors. There should be no PHP files there at all. Delete any you find.
3. Reinstall WordPress core. Go to Dashboard > Updates and click “Re-install Now.” This replaces all WordPress core files with clean versions, without touching your content.
4. Delete and reinstall every plugin. Deactivate all plugins, delete them, then reinstall fresh copies from WordPress.org. Do not reinstall plugins that are not actively maintained.
5. Check wp-config.php and .htaccess. Open these files via FTP and look for obfuscated code (typically long base64 strings or eval() calls). If you find anything suspicious, compare to a clean WordPress installation and remove the offending lines.
6. Change all passwords. WordPress admin password, FTP password, database password, and your hosting account password. Use strong, unique passwords for each.

After cleaning, run the Wordfence scan again to confirm everything is clear before requesting Google’s review.

Once your site is clean, you need to request a review from Google. Until you do this, the “harmful programs” warning will stay in place even on a fully clean site.

Steps to request a Google review:

1. Go to Google Search Console (search.google.com/search-console) and log in. If your site is not verified there yet, add and verify it first.
2. In the left sidebar, click Security & Manual Actions > Security Issues.
3. You’ll see a list of the specific issues Google detected (e.g., harmful downloads, malware, social engineering). Review them to confirm your cleanup covered all the flagged items.
4. Check the checkbox next to each issue that you’ve resolved, and click Request a Review.
5. In the review request form, describe what you found and exactly what you did to clean it. Be specific — “removed malicious PHP file from uploads directory, reinstalled WordPress core and all plugins, changed all passwords.” A detailed explanation speeds up the review.
6. Submit the request.

What happens next: Google typically processes review requests within a few days, though complex cases can take up to two weeks. You’ll receive a notification in Search Console when the review is complete. If the review finds remaining issues, you’ll need to clean again and re-submit.