Back to Learn

Website Blacklists | NOC.org

What Are Website Blacklists?

Website blacklists (also called blocklists) are databases maintained by security organizations, search engines, and antivirus vendors that catalog websites known to host malicious content. When a website is added to a blacklist, users attempting to visit it are shown warnings, the site is flagged in search results, or access is blocked entirely. Blacklisting is one of the internet's primary mechanisms for protecting users from malware, phishing, and other threats.

For website owners, being blacklisted is one of the most damaging consequences of a security breach. Even after the malicious content is removed, the blacklisting persists until the site owner requests a review and the blacklist provider confirms the site is clean. During this period, a site can lose the majority of its traffic, revenue, and search engine rankings.

Major Blacklist Providers

Google Safe Browsing

Google Safe Browsing is by far the most impactful blacklist on the internet. It protects more than 4 billion devices by providing data to Google Chrome, Mozilla Firefox, Apple Safari, and Android. When a site is flagged by Google Safe Browsing, visitors using any of these browsers see a full-page red warning screen stating "Deceptive site ahead" or "The site ahead contains malware." This effectively blocks the vast majority of web traffic.

Google Safe Browsing categorizes threats into several types:

  • Malware: The site hosts or distributes software designed to harm visitors' devices.
  • Social engineering: The site contains phishing pages or other deceptive content designed to trick users into revealing sensitive information or installing unwanted software.
  • Unwanted software: The site distributes software that does not meet Google's Unwanted Software Policy, such as programs that change browser settings without consent.
  • Potentially harmful applications: Used primarily for mobile, flagging apps that may collect data without disclosure or perform unexpected actions.

Google discovers threats through its web crawling infrastructure, user reports, and automated analysis systems. Once flagged, the site appears with warnings in Google Search results and triggers browser interstitials across all browsers that use the Safe Browsing API.

Norton Safe Web

Norton Safe Web, operated by Gen Digital (formerly NortonLifeLock), maintains its own database of dangerous websites. It powers warnings in Norton security products installed on millions of devices and provides browser extensions that display safety ratings next to search results. Norton rates sites on a scale from safe (green) to dangerous (red), and provides details about the specific threats detected.

Norton Safe Web is particularly influential for users running Norton antivirus products, as the software can block access to flagged sites at the network level, preventing the page from loading at all rather than just showing a warning.

Sucuri SiteCheck

Sucuri SiteCheck is a free website security scanner that checks sites against multiple blacklist databases and performs its own malware detection. It scans the site's visible content for known malware signatures, spam injections, and suspicious code patterns. Sucuri maintains its own blacklist and also aggregates results from other providers including Google Safe Browsing, Norton, McAfee SiteAdvisor, PhishTank, and others.

For site owners, Sucuri SiteCheck serves as a useful meta-scanner, providing a single place to check your blacklist status across multiple providers simultaneously.

Other Notable Blacklists

  • McAfee SiteAdvisor (now McAfee WebAdvisor): Provides safety ratings used by McAfee security products and the McAfee SECURE trustmark.
  • PhishTank: A community-driven database focused specifically on phishing URLs, operated by Cisco's OpenDNS division.
  • Spamhaus: While primarily known for email blacklists, Spamhaus also maintains the Domain Block List (DBL) that flags domains associated with spam and malware.
  • ESET: Maintains its own URL blacklist used by ESET security products to block access to malicious sites.
  • Yandex Safe Browsing: Similar to Google Safe Browsing but maintained by the Russian search engine Yandex, primarily affecting traffic from Russian-speaking users.

How Blacklisting Works

Blacklist providers use a combination of automated scanning, machine learning, and human analysis to identify malicious websites:

  1. Discovery: The provider's web crawler visits the site and analyzes its content, or the site is submitted for review by users, security researchers, or automated feeds.
  2. Analysis: The page's HTML, JavaScript, and network behavior are examined for known malware signatures, phishing patterns, suspicious redirects, hidden iframes, obfuscated scripts, and other indicators of compromise.
  3. Classification: The detected threat is categorized (malware, phishing, spam, unwanted software) and the URL or domain is added to the blacklist database.
  4. Distribution: The blacklist is distributed to browsers, security products, and DNS services that use the provider's API. Updates propagate quickly, often within hours of detection.
  5. Client-side checking: When a user attempts to visit a URL, their browser or security software checks it against the local copy of the blacklist (updated regularly) or queries the provider's API in real time. If the URL matches, a warning is displayed.

Why Websites Get Blacklisted

Websites are blacklisted when they are found to host malicious or deceptive content. The most common reasons include:

  • Malware infections: The site has been compromised and is serving malware to visitors, whether through drive-by downloads, malicious JavaScript, or infected file downloads.
  • Phishing content: The site hosts fake login pages or other deceptive content designed to steal credentials or personal information.
  • SEO spam: The site has been injected with SEO spam content that search engines detect as manipulative.
  • Credit card skimming: The site contains JavaScript skimmers that steal payment data from checkout forms.
  • Malicious redirects: The site redirects visitors to dangerous destinations such as exploit kits, scam pages, or malware distribution sites.
  • Compromised third-party resources: The site loads scripts or resources from domains that have been compromised, causing the blacklist provider to flag the site even though its own files are clean.

Impact on Traffic and Business

Blacklisting has an immediate and severe impact on a website:

Impact Area Effect
Organic search traffic Google flags the site in search results with "This site may be hacked" or "This site may harm your computer" warnings, causing click-through rates to drop by 90% or more.
Direct and referral traffic Browser interstitial warnings block most visitors from proceeding, regardless of how they found the site.
Email deliverability Links to your domain in emails may be flagged as malicious, causing emails to be blocked or sent to spam.
Advertising Google Ads and other advertising platforms will suspend campaigns pointing to blacklisted domains.
Revenue Ecommerce sites experience near-total revenue loss while blacklisted. Service businesses lose leads and conversions.
Reputation Customers who see security warnings lose trust in the brand, and the reputational damage persists even after delisting.

Studies have shown that a blacklisted site can lose up to 95% of its traffic overnight. For ecommerce businesses, even a single day of blacklisting can result in substantial financial losses.

How to Check If Your Site Is Blacklisted

  • Google Search Console: The Security Issues section reports any malware, phishing, or social engineering problems detected by Google Safe Browsing.
  • Google Transparency Report: Enter your URL at transparencyreport.google.com/safe-browsing/search to check your Safe Browsing status.
  • Sucuri SiteCheck: Visit sitecheck.sucuri.net to scan your site against multiple blacklists at once.
  • VirusTotal: Submit your URL to VirusTotal, which checks it against 70+ security engines simultaneously.
  • Norton Safe Web: Check your site's rating at safeweb.norton.com.
  • Manual browser testing: Simply visit your site in Chrome, Firefox, and Safari. If any of them show a warning page, you are blacklisted.

How to Get Delisted

The delisting process requires cleaning your site first and then requesting a review from each blacklist provider:

  1. Identify and remove the malicious content: Use server-side scanners, file integrity checks, and external scanning tools to find and remove all malicious files, injected code, backdoors, and unauthorized user accounts. Do not skip this step. Requesting a review while malicious content remains will result in denial and may increase the time before you can submit another review.
  2. Fix the vulnerability: Determine how the attacker gained access and close the security gap. Update your CMS, plugins, and themes. Change all passwords. Deploy a WAF to prevent re-exploitation.
  3. Request a Google Safe Browsing review: In Google Search Console, navigate to the Security Issues section and click "Request a Review." Provide a clear description of what was compromised, what you cleaned, and what steps you took to prevent recurrence. Reviews typically take 24 to 72 hours, though some may take longer.
  4. Request reviews from other providers: Each blacklist provider has its own delisting process. Norton Safe Web allows you to submit your site for re-evaluation through its website. McAfee has a URL review submission form. PhishTank allows disputed entries to be challenged. You must request delisting separately from each provider that has flagged your site.
  5. Monitor after delisting: After removal, closely monitor your site for re-infection. If the attacker still has access through an undiscovered backdoor, the site will be reinfected and re-blacklisted, and subsequent reviews may take longer.

Prevention

The best way to avoid blacklisting is to prevent your site from being compromised in the first place:

  • Keep all software updated to patch known vulnerabilities that attackers exploit.
  • Deploy a web application firewall to block malicious traffic and exploitation attempts.
  • Use strong authentication with two-factor authentication on all admin accounts.
  • Implement file integrity monitoring to detect unauthorized changes immediately.
  • Set up Google Search Console alerts to receive notifications about security issues as soon as Google detects them.
  • Regularly scan your site with external tools like Sucuri SiteCheck and VirusTotal.
  • Maintain clean, tested backups so you can restore quickly if compromised.

Summary

Website blacklists are a critical internet safety mechanism, but being on one is devastating for site owners. Google Safe Browsing alone can cut off the vast majority of your traffic through browser warnings. Norton Safe Web, Sucuri, McAfee, and PhishTank add additional layers of blocking. The key to avoiding blacklisting is preventing the underlying security breach through regular updates, strong authentication, continuous monitoring, and a web application firewall. If your site is blacklisted, act quickly to clean the infection, close the vulnerability, and request reviews from each provider.

Do not wait until you are blacklisted to take action. See NOC's pricing plans to protect your website before a security incident causes lasting damage.

Improve Your Websites Speed and Security

14 days free trial. No credit card required.

Get Started