Attack Pattern 1 / 7
Injected Scripts That Transmit User Data
Code added to the site that captures form data, login credentials, or payment information and sends it to an attacker.
See this on your site?Your Site Got Hacked. We Clean It and Get Your Google Ads Back.
Google's Compromised Site policy disapproves ads when your site has been hacked or hijacked. You have at least 7 days before the Google Ads account suspended warning becomes a permanent ban. We use that window to find the breach, clean the site, clear Google Safe Browsing, and reinstate your ads.
Send us the disapproval notice. Within 24 hours you get a written diagnosis: where the malicious code lives, how the attacker got in, what the cleanup involves, and a timeline that beats the 7-day window.
Free diagnosis. No commitment. If your case actually falls under Malicious Software (a harder policy), we tell you on day one.
ads.google.com/aw/policy/manager
Policy Manager — Site issues
Compromised site
Ads disapproved · 7-day window active
RESOLVED — ADS SERVING
Confirm Which Policy Hit Your Account
Two Google Ads policies cover hacked websites and malware. Google enforces them differently:
| Policy | What it covers | Enforcement |
|---|---|---|
| Compromised Site | Your site was hacked or hijacked without your knowledge | At least 7-day warning before suspension. Ads get disapproved immediately. |
| Malicious Software | Intentional distribution of malware through your site or ads | Immediate suspension. No prior warning. Classified as egregious. |
The policy name appears in your Google Ads email and in Policy Manager. Check it before starting any cleanup. The appeal strategy and timeline differ.
If your email says Malicious Software, your case is more severe and your account may already be suspended.
What Is the Google Ads Compromised Site Policy?
The Compromised Site policy disapproves Google Ads with destinations whose code has been manipulated to act for a third party without the owner's knowledge. The policy covers hacked sites that inject malicious scripts, install malware, redirect users, or steal data. Google issues at least a 7-day warning before suspending the account.
Source: Google Ads Compromised Sites policy (support.google.com/adspolicy/answer/15938376)
Your Site Got Hacked. You Have 7 Days Before Suspension.
Every day inside the window matters. Send us the disapproval notice now and you get a written diagnosis within 24 hours — infection location, entry point, cleanup scope.
You Have Time. Use It.
Day 0
Ads disapproved
Google detects the compromise. Ads stop running. Account stays open.
Day 7+
Suspension risk
Without cleanup + Safe Browsing clearance, Google escalates to a full account suspension.
Day 14+
Reinstated
Cleanup complete, Safe Browsing cleared, Google Ads re-approves the destination.
Compromised Site enforcement runs on a delayed timer. Ads stop running on the day Google detects the compromise. The account itself stays open for at least 7 days before Google escalates to a full suspension. That window is the difference between a contained problem and a full account loss.
Three things must happen inside the window:
- 1 The malicious code gets removed from every location on the site.
- 2 The vulnerability that let the attacker in gets patched.
- 3 Google's Safe Browsing system rescans the domain and clears it.
The third step is the bottleneck. Safe Browsing reviews can take 24 to 72 hours after submission. Cleanup without Safe Browsing clearance leaves the site flagged, and Google Ads will keep refusing the appeal.
What Google's System Flags as a Compromised Site
Google defines a compromised site as one whose code has been manipulated to benefit a third party without the owner's knowledge, often harming visitors. Swipe through the seven attack patterns Google explicitly publishes — these are the patterns the automated scanner matches against your destination.
Swipe or scroll horizontally
Attack Pattern 2 / 7
Credit Card Skimmers
Specialized scripts that intercept checkout data on e-commerce sites. Common on hacked Magento, WooCommerce, and Shopify implementations with compromised third-party apps.
See this on your site?
Attack Pattern 3 / 7
Malware Installation on Visitor Devices
Code that triggers a download or browser exploit when a visitor lands on the page.
See this on your site?
Attack Pattern 4 / 7
Unwanted Popup Ads
Scripts that show popups on top of your site's content, usually pointing to scam or affiliate destinations.
See this on your site?
Attack Pattern 5 / 7
Unauthorized Redirects
Code that redirects visitors to a different site, often after a delay or on mobile only. The site looks fine to the desktop reviewer but redirects mobile users.
See this on your site?
Attack Pattern 6 / 7
Data Misuse Without Consent
Scripts that share visitor data with third parties in violation of the site's stated privacy practices.
See this on your site?
Attack Pattern 7 / 7
Exploited CMS Vulnerabilities
The site runs WordPress, Magento, Joomla, or another CMS with a known vulnerability that an attacker used to inject any of the above.
See this on your site?All examples paraphrased from Google's Compromised Sites policy. Google's list is non-exhaustive.
7
Attack Patterns Google Scans For
Most Hacked Sites Match Two or Three of These Patterns at Once.
The disapproval email names one. Our scan checks all seven against your site, your database, and your server config — because attackers chain exploits and missing one leaves you reinfected within days.
How Honest Sites Get Compromised
Nine out of ten Compromised Site cases trace back to one of the entry points on the right. The attacker rarely targets the site by name. Automated bots scan the internet for known vulnerabilities and exploit any site running outdated software.
The disapproval is a downstream symptom. The actual problem is the unpatched entry point. Cleaning the injected code without closing the entry point guarantees reinfection within days.
Common entry points we find
- Outdated WordPress core, themes, or plugins with public exploits
- Abandoned plugins no longer maintained by their developers
- Weak admin passwords or reused passwords leaked in unrelated breaches
- Compromised hosting accounts shared with other hacked sites
- File upload forms without proper validation
- Unsecured staging or development environments left accessible
- Third-party scripts loaded from compromised CDNs
- E-commerce platform plugins that were themselves compromised upstream
- Forgotten admin accounts created by previous developers
Six-step cleanup
How We Clean Your Site and Reinstate Your Ads
Every step is sequenced to beat the 7-day window. Skipping any one of them — especially the Safe Browsing review — is why most DIY cleanups fail at re-approval.
01
Step 1 of 6
Diagnosis (within 24 hours)
We pull the disapproval reason from your Google Ads Policy Manager. Google sometimes names the compromised domain or script in the disapproval detail. We run the Safe Browsing site checker, review the Search Console Security Issues report if you grant access, and run independent malware scans. You receive a written report identifying the infection and the likely entry point.
02
Step 2 of 6
Honest Verdict
If the case is a clean Compromised Site issue with a clear cleanup path, we quote the work. If our scan reveals the issue actually involves intentional distribution (rare, but it happens when a site owner is unknowingly hosting affiliate malware), we explain the escalation risk to Malicious Software before any work begins.
03
Step 3 of 6
Source Cleanup
We remove every malicious file, database injection, and configuration change introduced by the attacker. We close the entry point: software updates, password resets, file permission corrections, removal of unused plugins or themes, security hardening at the server level.
04
Step 4 of 6
Safe Browsing Review
After cleanup, we submit the site for review through Google Search Console. Google's Safe Browsing system rescans the domain. Until Safe Browsing clears the site, Google Ads will not re-approve the destination, regardless of any appeal language. This step is what most DIY cleanups skip.
05
Step 5 of 6
Google Ads Re-Approval
Once Safe Browsing clears the domain, we use the appeal pathway Google recommends for Compromised Site: either "Made changes to comply with policy" if the destination was the only issue, or "Dispute decision" through Policy Manager. Google allows up to 72 hours for the system to re-crawl and re-evaluate the landing page.
06
Step 6 of 6
Post-Reinstatement Hardening
We deliver a written security checklist covering ongoing monitoring, update schedules, malware scanning, backup hygiene, and access control. Reinfection within 90 days converts the case from Compromised Site to Malicious Software in many cases. Prevention is the work that matters most.
See the Process? Now Let Us Run It on Your Site.
Honest merchants whose sites were hacked — not malware operators — get reinstated when the cleanup is done right. Send the disapproval notice and we'll diagnose your infection, quote the cleanup, and beat the 7-day window.
What You Get When You Work With Us
Diagnosis report identifying the infection and entry point
Safe Browsing status check
Search Console Security Issues review
Full site cleanup at file, database, and server level
Vulnerability patching and security hardening
Search Console Safe Browsing review submission
Google Ads re-approval through the correct appeal pathway
Reviewer follow-up handling
Post-cleanup verification scans
30-day check-in and written hardening checklist
Most compromised sites belong to honest merchants who never knew their server was breached. The cleanup is the easy part — finding the entry point is what separates a fix from a reinfection.
We close the door the attacker came through, scrub every injection from files and database, and submit the Safe Browsing review that unblocks Google Ads. Reinfection guarantees a policy escalation — we work to prevent it.
Pricing
Compromised Site cases scale with site size and infection complexity. Diagnosis is free.
Diagnosis Only
Free
No commitment
- Safe Browsing and Search Console review
- Infection and entry point identification
- Cleanup scope and quote
- Honest verdict on case complexity
Most Common
Single-Site Cleanup + Re-Approval
Single domain, single CMS, single infection
Starting at
$250
- Full cleanup and entry-point patching
- Safe Browsing review submission
- Google Ads re-approval
Complex Cleanup + Re-Approval
Multi-domain, large CMS installation, user-generated content, e-commerce with checkout compromise, or reinfection cases
Starting at
$350
- Everything in Tier 2
- Deep server-level audit
- Extended hardening implementation
Cases We Will Decline
Some Compromised Site cases fail at re-approval or fall outside our intake policy. We tell you within the free diagnosis if your case lands here.
- Sites where the "compromise" is actually intentional content the operator placed (rebrands the case as Malicious Software, which we may still take depending on circumstances)
- Sites that refuse to update outdated CMS, themes, or plugins after cleanup (guaranteed reinfection, not a service we offer)
- Sites where access to the server, hosting, or admin credentials is not available to perform cleanup
- Repeat-compromise cases where the operator declines security hardening after the third cleanup
- Sites running on hosting providers that themselves serve malware at the network level, where individual cleanup will not stick
Ready to Start the Cleanup?
Send us these four things and you'll have a written diagnosis within 24 hours — well inside the 7-day window:
- The Google Ads disapproval email (or Policy Manager screenshot)
- Your domain name and CMS platform (WordPress, Magento, etc.)
- Search Console access — or confirmation you can verify the site
- Hosting / server access details (we will request them securely after diagnosis)
Compromised Site Policy — Common Questions
What is the Google Ads Compromised Site Policy?
It is the policy that disapproves Google Ads when the landing page or destination has been hacked. Google defines a compromised site as one whose code has been manipulated to act for a third party without the owner's knowledge. The policy covers injected scripts, credit card skimmers, malware installation, unwanted redirects, and exploited CMS vulnerabilities.
Will my Google Ads account be suspended?
Not immediately. Google issues at least a 7-day warning before account-level suspension. Ad disapprovals appear at the moment of detection, but the account itself stays open during the warning window. Cleaning the site and clearing Safe Browsing inside that window prevents the suspension.
How is Compromised Site different from Malicious Software?
Compromised Site covers honest operators whose sites were hacked. Enforcement comes with a 7-day warning. Malicious Software covers intentional distribution of malware and triggers immediate suspension with no warning. The disapproval email names which policy applies. The appeal pathway differs for each.
How do I know my site has been hacked?
Four signals usually appear together: Google Ads disapproves the ads with a Compromised Site reason, Google Safe Browsing flags the domain at transparencyreport.google.com/safe-browsing/search, Google Search Console shows a Security Issues report (if the site is verified), and visitors report popups, redirects, or unexpected behavior. Any one of these signals justifies a full malware scan.
How long does the cleanup take?
Most single-site cases close within five to ten business days. The cleanup itself takes one to three days. The Safe Browsing review after submission takes another 24 to 72 hours. Google Ads re-crawl takes up to 72 hours after Safe Browsing clears the site. Complex e-commerce or multi-domain cases run longer.
Can I clean the site myself?
Yes, if you know how to find the actual infection point. Most DIY cleanups fail in one of two ways: they miss the injection point because the malicious code is hidden in the database or in scheduled tasks rather than in obvious theme files, or they clean the visible files but leave the vulnerability open and the site gets reinfected within days. If the site is on WordPress and you can access the server, the cleanup is possible. If you cannot identify how the attacker got in, professional help is faster.
Why are my ads still disapproved after I cleaned the site?
Two reasons usually apply. First, Google Safe Browsing has not refreshed the site status yet. Safe Browsing maintains its own threat database, and Google Ads checks that database during re-approval. Submit the site for review through Google Search Console to trigger a Safe Browsing rescan. Second, the cleanup missed something. Google's automated rescan during the appeal sometimes catches malicious code in locations the human cleanup overlooked.
Do I need Google Search Console?
For the fastest cleanup, yes. Search Console gives you direct access to the Security Issues report, which sometimes shows the specific files or URLs Google flagged. It also gives you the Safe Browsing review submission pathway, which is the fastest way to clear the threat-list status. If the site is not verified in Search Console, verify it before the cleanup starts.
What if my hosting provider says the site is clean?
Hosting provider scans usually catch known-signature malware but miss custom injections, database-level compromises, and configuration-level backdoors. Run an independent scan with at least one external tool. A clean Safe Browsing report on the domain matters more than any single scanner.
Can I just change the destination URL on my ad to fix this?
Google's policy lets you update the ad to a new, clean destination. The disapproval clears for the new URL. The compromised site still has the problem, so any future ad pointing back to it will be disapproved again. Cleanup is the only durable fix.
What if the same site keeps getting reinfected?
The entry point was not closed during cleanup. Reinfection within days or weeks means either the vulnerability is still open, an admin password was leaked, or a backdoor file was missed. The third cleanup on the same site should include a server-level rebuild rather than another file-level scrub.
Does Compromised Site escalate to Malicious Software?
Google can reclassify a case if the review finds evidence that the operator knew about the malicious code and left it in place. In practice, this happens when an advertiser ignores the 7-day warning, allows the account to be suspended, and then appeals without cleaning the site. The pattern of "knew and did nothing" pushes the case toward Malicious Software territory.
Related Policies You May Also Be Facing
Malicious Software Policy
The closest neighbor. If Google escalated your case or your email says Malicious Software from the start, that page is the correct starting point.
Learn MoreDestination Issues
Some Compromised Site disapprovals appear alongside Destination Not Working or Destination Mismatch flags when the attacker added redirects.
Learn MoreCircumventing Systems Policy
Severe compromise cases with cloaking injections sometimes get bundled with Circumventing Systems enforcement.
Learn MoreDon't Wait Out the 7-Day Window
Free diagnosis within 24 hours. Cleanup that beats the suspension deadline. Honest verdict if the case is more complex than it looks.