Compromised Site Diagnostic
Diagnostics makes regular, periodic evaluations of your Analytics implementation, and provides notifications as a gentle reminder of how to keep Analytics tuned to ensure the best data, performance, and analysis.In this article:
Analytics regularly communicates with Google Search Console to identify domains that may have been compromised (otherwise known as getting “hacked”). The system looks at results of the Google search crawl on websites associated with Analytics accounts, which uses proprietary software and processes to identify sites that may have been compromised by 3rd parties.
If it appears that your Analytics property is tracking sites that Google’s Safe Browsing team has marked as potentially compromised, and you are an admin on this property, then a notification will appear to alert you of the problem:
Learn more about Hacking and hacked content.
Our goal is to protect the broader internet and your business by ensuring that your websites are not compromised by 3rd parties acting without your and your end users' consent, and that your end users have an enjoyable and safe experience on your websites.
Diagnostics, and Google’s search crawler, are not able to crawl non-public pages (e.g. behind a login wall or hidden via robots.txt exclusions). So, it’s possible for Diagnostics to miss pages and fail to surface a notification for non-public pages that are compromised. Furthermore, Diagnostics may exclude certain pages based on execution cost, although Diagnostics does attempt to prioritize those pages that receive significant traffic.
Crawl frequency varies from a few days to several weeks, so keep in mind that recent changes or fixes may not be reflected in the results until the page is re-examined. However, the Safe Browsing team responds to requests for review within 72 hours, so make sure to request a review once any issues are remedied.
Investigate and fix
After you receive the compromised site notification, first investigate whether your site has been compromised. Follow these instructions. Once you confirm that your site is compromised, you should take immediate steps to remove the offending site code. You should note also that the notification you received is not specific to the location of the issue(s), so you should conduct a broad audit to ensure completeness and confirm that you have removed all offending code.Upon completion, follow these instructions to request a review of your site.
Reported sites do not belong to the website
If the website(s) mentioned in the notification belong to a domain that you do not recognize, that website likely specified your Analytics account in its tracking code by accident. First, you should create a filter to exclude the unwanted traffic data from that domain as soon as possible. Then, try contacting their webmaster to correct the problem.
If the website(s) mentioned in the notification belong(s) to a recognizable or related domain, but should not be considered a part of the domain, you probably have multiple websites under the same domain, with unclear site boundaries. In either case, you should address the compromised site notification directly, or contact the appropriate site owner to address the problem.
Your site is clean, but you still see the alert
If you still see the notification, but have confirmed that your site is not, or is no longer compromised, then it’s possible that Google just needs to reevaluate your site. In this case, follow these instructions as soon as possible to request that Google re-crawl your website.
If the notification persists, then we recommend raising the issue within the webmaster support forum.