If Google disapproves your ads due to "compromised site" or malware, take that seriously.

In my experience Google is usually correct... and only occasionally wrong.

Premium security tools (Sucuri, WordFence etc) can completely fail to spot malware. Same with hosts' tools, and with Search Console. You might do all sorts of checks and find nothing, yet the website could still be hacked and linking to malware.

Sometimes the problem is within an embed i.e. not actually even on your own website, which is a common reason for testing tools to miss it.

Sometimes searching Google for site:yourdomain.com helps you spot pages that are being added to your site.

1. Pause any active ad campaigns immediately

and do not re-enable them until you are absolutely sure it is safe to do so, and only after Google has removed the flag. The risk is that you'll get a ban for circumventing systems if you allow ads to run for pages that are compromised.

2. Contact Google immediately

Contact Google and ask them to email you a list of compromised urls. Those are going to be useful in diagnosing the problem so you can fix it. If the support person says they can't do this, insist.

3. Fix the website

Diagnosing and fixing a hacked website, then preventing it from happening again, is beyond the scope of this course. It can be a difficult task, even for an experienced web developer, so get help. You'll need to check change logs for your CMS and the hosting server, check when files were altered and what changes were made, and perhaps revert to a recent backup.

4. Contact Google once it's fixed

After fixing it, wait a day then contact Google again to request a review. Try this form to contact Google: support.google.com/google-ads/gethelp.

Or if it's a false positive, you can return to Google and tell them... but you need to do this step first to make sure.

5. Re-enable your ad campaigns

The ad status should now say approved rather than disapproved. You should be safe to un-pause your campaigns.

Advice for WordPress users

Here is guidance on how to fix a hacked WordPress website:

wordpress.org/support/article/faq-my-site-was-hacked/

And how to prevent a site getting hacked again:
wordpress.org/support/article/hardening-wordpress/

Case study: How fixing and speeding up a compromised website improved a Google Ad Grant

Google flagged all ads on a health nonprofit's grant account as "compromised site".

The web developer went into action and although they didn't find evidence of a specific hack or malware, they cleaned up a lot of issues on the website, hardened its security, and improved its loading speed.

We asked Google to check again and they were satisfied and removed the disapproved status. The screenshot below shows what happened next in the Google Ad Grant account. Note that it's one of the Legacy Ad Grant Pro accounts with four times the usual spend.

Immediately the ads were re-enabled, the account went up to full daily spend (blue line). It had been struggling for several months to use the full budget. But that's not the most dramatic improvement: look at the red line for conversion rate: it absolutely shot up. Bear in mind that we'd made no changes to how conversion tracking worked, so this change was solely caused by website improvements.

My analysis is that the slow, possibly compromised website was leading to low spend in the Ad Grant, and fixing those problems removed a barrier to spending the budget. Fixing website issues also meant that more people were able to successfully take actions on reaching the website, leading to more successful ad campaigns.

So make sure the website runs as fast and as smoothly and as securely as possible: it might make it easier to manage your Google Ad Grant.



Updated: July 2024