Google Ads Compromised Site Disapproval: How to Fix It

By · Updated · 6 min read

When Google Ads disapproves your ads with a “Compromised site” or “Malicious or unwanted software” policy violation, it means the Ads system found evidence of hacking, malware, or deceptive content somewhere on your domain, and it will not run traffic to the site until that evidence is gone. The fix is a genuine cleanup of the whole domain, every subdomain included, followed by requesting a re-review of the disapproved ads. Ads re-reviews typically take a few business days per round, which is exactly why you want to pass on the first one.

I hear from a lot of advertisers in this exact spot, and they’re usually angrier than my hacked-site clients. Fair enough. A hacked site that gets blacklisted loses free traffic. A disapproved campaign stops revenue you were paying for, and Google keeps the machine off until it’s satisfied.

Here’s the part nobody tells you up front: Ads enforcement is its own system, separate from Safe Browsing, and in my experience it is the strictest scanner Google runs.

Why does Google Ads say my site is compromised?

The Ads destination policies prohibit sending paid clicks to sites that contain malware, unwanted software, or signs of compromise: injected scripts, spam pages, sneaky redirects, phishing content. When their scanner finds any of that on your domain, every ad pointing at the domain gets disapproved at once. Sometimes the account itself gets suspended for the malicious software policy, which is the same problem with higher stakes.

The trigger is often real. An outdated plugin let something in, and the Ads crawler found spam pages you hadn’t noticed. But the flag is domain-wide, so the infected corner can be somewhere you never think about: a staging subdomain, an old blog install at /blog/, a forgotten landing page builder. Your checkout page can be spotless while old.yourdomain.com quietly hosts a phishing kit.

Why is Ads blocking me when Safe Browsing says I'm clean?

This is the maddening case, and I see it weekly: no red screen in Chrome, Search Console Security Issues is empty, three different scanners say clean, and Ads still refuses. It isn’t a glitch. The Ads scanner works from its own crawls and its own risk models, and it’s deliberately more conservative because Google is liable for where it sends paid clicks. It also has a longer memory. Recently cleaned sites sit in a distrust window while Ads confirms the fix holds.

So absence of a Safe Browsing flag proves very little. When Ads says compromised, something is there, was there recently, or is reachable from your domain. The job is to find it, and my free site check plus a site:yourdomain.com search are the first ten minutes of that hunt. The deeper checks are in my technical IOC checklist.

Cleaning up for an Ads review

Everything reachable on the domain counts. That means the main site, every subdomain in your DNS, old installs, and files sitting in directories you forgot about. On Ads cases I insist on a full sweep even when the main site looks clean, because the flag so often lives in the attic:

  • List every subdomain in your DNS and hosting panel, and either clean or remove each one. Dead staging copies should go away entirely.
  • Check for injected redirects that only fire for mobile visitors or ad-click traffic; the Ads crawler follows your final URLs the way a paying visitor would.
  • Look for third-party scripts on landing pages. A compromised tracking pixel or a shady affiliate script can trip the malicious software policy all by itself.
  • Remove old downloadable files. Installers and zips you posted years ago get re-judged by modern standards.

Close the entry point too, because Ads rechecks after approval, and a reinfection puts you straight back to disapproved with less patience the second time. The full cleanup process is in my malware removal walkthrough.

How do I actually get re-reviewed?

Once the domain is genuinely clean, open the disapproved ad and use the appeal option (Ads shows this as a “Fix it” or appeal flow on the disapproval), selecting the choice that says the issue has been resolved. You can appeal at the campaign level and cover all affected ads at once. If the account was suspended rather than the ads disapproved, the path is the suspension appeal form instead, and you should say plainly what was infected, what you removed, and what you changed, the same way I described for Search Console reviews.

Keep notes as you clean: which files you removed, which subdomains you retired, what you updated, and the dates. If the case escalates to a conversation with Ads support, that record turns a vague back-and-forth into a short one, and support agents move faster for advertisers who can show exactly what changed. I write one for every Ads case I handle for the same reason.

Then wait. Most re-reviews come back within two to five business days, some faster. Do not spam appeals while one is pending; parallel appeals don’t merge, they just mark the account as noisy. One clean appeal after one real cleanup beats five hopeful ones every time.

What if the re-review fails again?

Failed second reviews almost always mean the scanner is still finding something, and the something is usually cloaked, on a subdomain, or freshly regrown from a backdoor. At that point stop guessing. Pull the site apart file by file, or bring in someone who does this daily. It’s worth knowing that the flag can also come from your ad’s tracking template or final URL redirect chain rather than the site itself, so audit the URLs in the ad settings too. I’ve cleared more than one “compromised site” case where the site was fine and a third-party click tracker wasn’t.

Once you’re running again, two habits keep you out of this queue. Watch your site, not just your campaigns: a weekly scan catches the reinfection before the Ads crawler does, and the difference between those two discoveries is a week of paused revenue. And keep your landing page stack boring. Every third-party script, tracker, and widget on a paid landing page is something the Ads scanner evaluates along with your own code, so each one you remove is one less thing that can get you flagged for someone else’s compromise. My guide to security best practices covers the basics that prevent the original hack, which is cheaper than any appeal.

Every day of disapproval is revenue off the table, which is why advertisers are usually my most time-sensitive cases. If you want it handled fast and once, my malware removal service covers the full-domain sweep, and you can start it here. Send me the disapproval details, and I’ll find what the Ads scanner found.

Common questions

Why did Google Ads disapprove my ads for compromised site?

Because the Ads system detected malware, injected spam, phishing content, or suspicious redirects somewhere on your domain, including subdomains. The detection is domain-wide, so ads get disapproved even when the specific landing page is clean. Until the flagged content is removed, Ads will not send paid traffic to the site.

Why does Google Ads say compromised when my site scans clean?

The Ads scanner is separate from Safe Browsing and stricter than most malware scanners. Common causes are cloaked content that only shows to Google crawlers, an infected subdomain or old install, a compromised third-party script on the landing page, or a recent infection still inside the distrust window while Ads confirms your cleanup holds.

How long does a Google Ads compromised site review take?

Most re-reviews complete within two to five business days, and some come back in one. Account-level suspension appeals tend to take longer than ad-level appeals. Filing repeated appeals while one is pending does not speed anything up, so the efficient path is one thorough cleanup followed by one appeal.

Do I need to fix subdomains before appealing to Google Ads?

Yes. The compromised site policy evaluates the whole domain, and forgotten subdomains are one of the most common reasons appeals fail. List everything in your DNS, then clean or delete each one. Old staging copies and abandoned installs are safer removed than cleaned, since nobody is watching them for reinfection.

Can my Google Ads account get suspended because my site was hacked?

It can. Persistent or severe malicious software violations escalate from ad disapproval to account suspension. Acting quickly on the first disapproval, cleaning thoroughly, and passing the first re-review is the best way to keep a hacked site from becoming an account problem that outlives the hack.