Kentico-based website hacked

I just checked on Chrome and Edge and both url's loaded without an issue.

Could it be that it is just flagged and blocked on your browser?

Eugene, you probably tested the URL without the www. which works fine.

Google Search Console (GSC) sent a failed audit today for both https://mysite.com and https://www.mysite.com which are the same website!

I just don't know what to do anymore. Whether the GSC technician didn't audit the site properly or the malware is still on the site.

Julian I tested www earlier. But when I tested again just now in Chrome, I get the warning. However, on Edge it still loads.

Have you reviewed and mitigated the Security issues raised by GSC? Once you are done fixing, you can Request Review again.

Unfortunately, most reviews take a few days to complete, but some can take up to a week or two. Google Search Console will send a notification when the review is completed.

Eugene, I did mitigate the security issues raised by GSC since the first day. Hired a security consulting company and removed the malware. Installed Microsoft Defender for Cloud. No malware detected anywhere.

I even bought the SUCURi Pro ($249/site) malware website scanner for both instances and no issues found.

Submitted the audit request two times but GSC responded with the same message and the error on GSC is the same like the technician didn't even bother to change the error message.

Looks like you're running on version 10 of Kentico Xperience. There are several security issues from older versions that have been addressed in new versions. While I know it's easier said than done, you might want to consider migrating to the latest version, KX13.

I'd suggest creating a redirect from WWW to non-WWW that should resolve the problem. Also from an SEO standpoint, you don't want both active anyway.

Thank you Brenden. I don't believe redirecting WWW to non-WWW would solve the issue of Google blocking the domain. Some pages on https://mysite.com are showing the Google Red security page as well.

Google treats the WWW and non-WWW as two different sites, even though I use the domain property on Google Search Console which encompasses all aspects of the domain (www, http, https...)

As I read on various forums, this might be a false-flag scenario, interpreted wrong by Google.

I'm still amazed how Google is (mis)handling this kind of issues. For more than a week, Google Search Console didn't change the security error message. They just ignore my 4 audit requests submitted during the last 9 days. The most frustrating thing is that you cannot contact anyone from Google (no email, no phones). At this point I'm out of ideas, and migrating to KX13 is out of the question, at least in the near future, due to high amount of customizations we developed for the past years. I'm still hoping for a miracle.

Not even allowing www to be indexed or accessed will help. You never want both www and non-www to be accessible without redirecting one to the other. It's standard SEO practice.

Finally, after 10 days of nightmares, Google fixed the mess. Fingers crossed...

"Google has received and processed your security review request. Google systems indicate that your site no longer contains links to harmful sites or downloads. The warnings visible to users are being removed from your site. This may take a few hours to happen."

Thank you Brenden and Eugene for your kind help.