Google ads: Malicious software / Compromised site
hi there
I’m reaching out regarding an ongoing issue with Google Ads and our BeTheme-powered site (morstonhall.com).
Google Ads continues to reject campaigns with the reason “Malicious software / Compromised site”, even though:
• We’ve enforced HTTPS with permanent 301 redirects (non-www → https).
• Blocked HTTP access to admin/login and enforced secure logins.
• Rotated the database user password and updated wp-config.
• Added modern security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, etc.).
• Removed plugins that were interfering with permalink/REST API routing (Hide My WP / WP Ghost).
• Verified clean results across multiple independent scans:
• VirusTotal – 0/97 vendors flagged.
• Sucuri SiteCheck – no malware, no blacklist.
• Qualys SSL Labs – A+ SSL rating.
• SecurityHeaders – Grade A.
All landing pages tested return 200 OK, and there are no signs of malware or compromise on the site. Despite this, Google’s Ads crawler still flags the site as “Compromised,” preventing us from running campaigns.
We want to rule out any theme-related factor. Could you please confirm:
1. Whether BeTheme has any known compatibility issues with Google Ads crawler or Googlebot?
2. Whether there are hidden scripts, demo assets, or theme features that could be misinterpreted as unsafe?
3. Any recommended steps from your side to ensure Google Ads recognises BeTheme-based sites as clean.
This is blocking ad campaigns, so any guidance or deeper checks from your team would be greatly appreciated.
Thank you,
Maciej
Comments
Hi,
To the first two of your questions, I can answer: no. We understand that compatibility with Google features is crucial, and we strive to maintain compliance with their guidelines at all times.
3) Please do a test by temporarily switching to another theme, like Twenty Twenty-Five, to see if the problem persists. It will help to determine if the theme is the root cause or if it lies somewhere else.
Best regards
Hi there, I now deleted all extra themes (they were not used) and re submitted the adds.
hi there, this did not help
I did not mean to remove them, but rather to temporarily switch to another theme, such as Twenty Twenty-Five, to see if the same issue occurs there.
Best regards
I dont need them anyway. this website only works on one theme
what are the next steps please?
I cannot be switching to other themes, sorry. the website must stay live as is
what are the next steps? this is really urgent, thanks
Hello, is this something you can help me with? I cannot run adverts because of the malware on the website.
Cannot you do it only for a brief time? It would be helpful to identify the source of this problem.
I can also suggest disabling your plugins one by one to see if none of them is the culprit.
Best regards
im sorry but I dont understand what you mean by "Cannot you do it only for a brief time?"
what do you mean
the affects can take up to 24h to work with google ads after reindexing so it would take days for this to take effect. surely there is something you can do to investigate? none of the plugs I use are not part of the BEtheme
Thanks for providing the details. Please note that without going through the outlined diagnostic steps, it’s not possible to reliably identify the root cause of the issue.
Here are two key points to keep in mind:
1) It’s doubtful that Betheme itself is causing the problem.
A theme mainly handles structure and visuals — it does not usually inject malicious software or scripts flagged by Google as harmful. In most cases, the issue comes from elsewhere: server configuration, active plugins, additional scripts, or in the worst case, a virus/backdoor infection.
2) A systematic step-by-step diagnosis is necessary.
To narrow down the source and avoid chasing false leads, we recommend following these steps:
Even if your site “must run on Betheme,” it’s beneficial to briefly (for a time of the test) activate a default WordPress theme (e.g., Twenty Twenty-Five).
If the problem disappears → it may be theme-related.
If the problem remains → the theme can be excluded as the cause.
Plugins are among the most common sources of issues. Deactivate them systematically (ideally in a staging environment) and check after each step if Google still flags the site. Pay extra attention to plugins that load custom scripts, manage ads, optimize code, or integrate with external services.
Review your access/error logs for suspicious requests, unusual IPs, or hidden script paths. This can help pinpoint compromised files or malicious activity.
Automated tools like Sucuri or VirusTotal are useful but may miss obfuscated code. It’s important to manually review theme files, the uploads folder, .htaccess, and wp-config.php for suspicious entries.
If any files have been modified or extra scripts injected, you’ll spot them by comparing your installation with the original.
Issues can also arise from misconfigured file permissions, outdated PHP versions, or improper directory access rights. Ensure there are no files in directories that should only contain static assets.
Each time you make significant fixes, request a re-scan in Google Search Console or Google Ads to clear the malicious software warning.
Without these steps, troubleshooting is guesswork, and you risk removing or changing the wrong components.
Hope it is clear now.
Best regards