VirusTotal Flagged Your Website? What It Really Means — and How to Actually Get Removed

You scanned your domain on VirusTotal, saw something like 3 of 94 security vendors flagged this URL as malicious, and your first instinct was to find the “remove from VirusTotal” button. There isn’t one — and that is not a bug. Understanding why is the difference between wasting a week emailing the wrong people and getting your site cleared in a day or two. I’m MD Pabel, and I’ve cleaned more than 4,500 hacked WordPress sites. A misread VirusTotal report is one of the most common screenshots clients send me, usually with the same question: “How do I get off VirusTotal’s blacklist?” The short version is that VirusTotal doesn’t have one. Here’s what the screen actually means and exactly what to do about it.

VirusTotal is not a blacklist. It’s a mirror.

VirusTotal is owned by Google and runs anything you submit — a file, URL, domain, or IP — through more than 70 antivirus engines and URL/domain blocklisting services at once. That’s its entire job: collect verdicts from many independent vendors and show them in one place. The part most people miss is that VirusTotal produces no verdict of its own. It doesn’t decide your site is malicious. It reports what Kaspersky, BitDefender, Sophos, Google Safe Browsing, and the rest are saying about you, and it aggregates those answers into a tidy count. So “VirusTotal blacklisted my site” is technically impossible. What actually happened is that one or more of the engines VirusTotal queries flagged your domain, and VirusTotal is simply displaying their results together. Think of VirusTotal as a scoreboard, not the referee. Shouting at the scoreboard won’t change the score. You have to go to the officials who put the numbers up there.

Why you can’t “remove” your site from VirusTotal

This trips up almost everyone, so it’s worth being blunt. Even in the rare case VirusTotal hid a flag on its own display, the people running the antivirus product that flagged you would still be blocked from your site. The warning lives in the vendor’s database, not in VirusTotal’s. Only the vendor that flagged you can clear it. A couple of other quirks matter:

• • Domain reports don’t even carry a verdict. A VirusTotal domain page mostly shows relationships and history, not a malicious/clean ruling. The actionable verdicts come from URL scans.

• • VirusTotal caches results. A site you fixed yesterday can keep showing an old verdict until the specific URL is re-scanned, which is why people panic when their “cleaned” site still looks flagged.

The takeaway: the fix never lives inside VirusTotal. It lives at the source (your website) and at each vendor that flagged you.

First, figure out which problem you actually have

Two completely different situations get lumped under “VirusTotal flagged my site,” and they have opposite fixes. Get this wrong and you’ll either waste weeks or, worse, send delisting requests for a site that is still infected.

1. 1. A true false positive. Your site is genuinely clean and a vendor’s automated system flagged it by mistake. This is common with brand-new domains, aggressive heuristics, shared-hosting IP reputation, or a legitimate script that loads an unfamiliar external domain.

1. 1. A real, lingering infection. Your site was hacked, you (or a plugin) “cleaned” it, but the flag persists because malware is still there or has already come back.

For WordPress sites, the second case is far more common — and it’s the one generic “just report a false positive” articles get dangerously wrong. If your site was hacked, the flag usually isn’t a mistake. It’s the symptom. (If your malware seems to keep returning no matter what you do, read why WordPress malware keeps coming back.) Here’s how to tell which situation you’re in before you do anything else:

Signal	Likely a false positive	Likely still infected
Recent history	No hack, nothing changed	Site was hacked or you saw symptoms recently
What’s flagged	Your root domain, no specific bad URL	A specific path, file, or injected page
Which engines	1–2 obscure engines	Reputable engines (Google, major AVs), or the count is rising
The label	“Suspicious”	“Malware site,” “Phishing site,” “Malicious”
On your site	Nothing unusual in files or database	Unknown files, redirects, spam pages, or new admin users
After re-scan	Clears, or stays at the same low number	Comes back or increases

How to read your VirusTotal report

To contact the right people, you have to read the report correctly. Three things matter:

The detection count is not a severity score

A result of “2 / 94” doesn’t mean your site is 2% bad. A single reputable engine labelling you a malware site is far more serious than five obscure scanners flagging you. Likewise, “0 / 94” doesn’t guarantee you’re clean — it only means none of the engines on VirusTotal flagged you (more on that below). Treat the count as a starting point, not a grade.

The label tells you the type of problem

Each engine returns a category: clean, unrated (never reviewed you), suspicious, malicious, malware site, or phishing site. Write down which engine reported which label. A “phishing site” verdict points to fake login or payment pages; a “malware site” verdict points to injected scripts or drive-by code. The label is your first clue about where to look on your own site.

Ignore the Community score

The Community score is voted on by registered VirusTotal users and weighted by their reputation. It can be skewed by anyone with an account and is not a reliable signal. Don’t make decisions based on it. By the end of this step you should have a simple list: which vendors flagged you, and with what label. That list is your to-do list — each vendor has its own delisting process. For the full diagnosis-to-delisting workflow across every blocklist, see my website blacklist diagnosis and delisting playbook.

If your WordPress site is genuinely infected (the usual case)

Security engines flag behavior, not appearance. Your homepage can look perfect while an injected script, a mobile-only redirect, a hidden spam directory, or a backdoor sits in your files or database. That’s why “but my site looks fine” is never proof of anything. If you’re comfortable on the command line, here are a few quick checks to confirm an infection before you assume it’s a false positive. (The full walkthrough is in my guide on how to detect WordPress malware.)

# PHP files modified in the last 7 days (common after a fresh hack)
find /path/to/wordpress -name "*.php" -mtime -7 -ls

# PHP files inside uploads — there should be ZERO
find /path/to/wordpress/wp-content/uploads -name "*.php"

# Search the database for the most common injection patterns
wp db search 'eval(' --all-tables
wp db search 'base64_decode' --all-tables

Here’s the part that catches people out: a single leftover backdoor re-infects a site within hours, and the next vendor scan re-flags you — sometimes after you’ve already requested delisting, which makes you look like you’re crying wolf. I once watched a client fail a Google review three times until we traced the reinfection to a payload hidden in the database, not the files (that case study is here). The rule: if you are not confident your site is 100% clean, requesting delisting is premature. You will fail the review and burn time.

The real removal process, step by step

1. 1. Clean the site completely. Every backdoor, injected file, malicious database row, rogue admin user, and poisoned .htaccess rule. Half-measures are why flags come back. (My expert malware-removal guide covers the process; the post-cleanup checklist covers what comes next.)

1. 1. Verify with more than one scanner. Don’t trust a single tool. Cross-check with Sucuri SiteCheck, Quttera, and Google’s Safe Browsing status before you declare victory.

1. 1. Re-scan the flagged URL on VirusTotal. This clears VirusTotal’s cached result so it reflects your cleaned site, not the snapshot from when you were hacked.

1. 1. Contact each flagging vendor directly. Use an email address at your own domain (it helps prove ownership), include a link to the VirusTotal report, and attach proof of a clean scan. Submitting from a domain email with clean-scan evidence is the single biggest factor in getting a fast review.

1. 1. Be patient with propagation. Some vendors clear you within hours; others take days, and full propagation across every cache can take up to about 30 days. Don’t re-submit hourly — that doesn’t speed anything up.

1. 1. Handle the vendors VirusTotal doesn’t show. See the next section — this is the step people forget, and it’s why warnings persist in browsers even after VirusTotal reads 0 / 94.

The vendors VirusTotal won’t show you

VirusTotal covers a lot of ground, but not everything. Several of the warnings that actually scare your visitors away come from sources that may never appear in your VirusTotal report:

• • Google Safe Browsing powers the red “Dangerous site” interstitial in Chrome, Firefox, and Safari — the warning the largest share of your visitors will actually hit. Check your status separately and request a review in Google Search Console under Security Issues. If Google is the problem, see my Google blacklist removal service.

• • Norton Safe Web and similar reputation services often flag sites without showing up on VirusTotal. If Norton is warning on your domain, follow my Norton blacklist removal guide.

• • Avast and McAfee each maintain their own URL reputation systems with their own submission forms. See Avast blacklist removal and McAfee blacklist removal.

This is exactly why “0 detections on VirusTotal” doesn’t always mean every warning is gone. A clean VirusTotal report is encouraging, not final.

Want this handled instead?

I’ll be honest: cleaning a hacked WordPress site and then chasing down every vendor that flagged you is tedious, and it’s easy to get wrong. The usual failure points are a hidden backdoor that triggers reinfection, a delisting request sent too early, or a warning source (like Google or Norton) that nobody checked. I’ve handled all three across more than 4,500 cleanups.

What clients say

Frequently asked questions

Can VirusTotal blacklist my website?

No. VirusTotal maintains no blacklist and issues no verdicts of its own. It aggregates results from 70+ independent antivirus and URL-blocklisting engines. If you appear flagged on VirusTotal, it’s because one or more of those engines flagged you — and only that engine’s owner can remove the flag.

How do I remove my website from VirusTotal?

You can’t remove it from VirusTotal directly, because the flag lives with the vendor, not VirusTotal. Fix the underlying issue on your site, re-scan the URL to clear VirusTotal’s cache, then contact each flagging vendor from your domain email with proof of a clean scan and ask them to re-review.

Why is my site still flagged on VirusTotal after I cleaned it?

Three usual reasons: VirusTotal is showing a cached result (re-scan the URL), the flagging vendor hasn’t re-reviewed you yet, or — most often for WordPress — the site isn’t actually clean. A leftover backdoor reinfects within hours and gets you re-flagged. Verify the site is fully clean before assuming it’s a caching delay.

Does 1 of 94 detections on VirusTotal mean my site is infected?

Not on its own. A single obscure engine can be a false positive. But if that one detection comes from a reputable vendor and labels you “malware” or “phishing,” take it seriously and investigate. The detection count is a starting point, not a severity score — the engine and the label matter more than the number.

How long does it take to clear a VirusTotal flag?

It depends on the vendor. Some clear you within a few hours of a confirmed clean review; others take several days. Full propagation across every cache and product can take up to roughly 30 days. Submitting from your domain email with clean-scan evidence is the fastest path.

---

Last updated: June 6, 2026 by MD Pabel, WordPress Security Specialist — 4,500+ sites cleaned.