Troubleshoot site security issues

Updated

Troubleshoot security issues on your site.

A site may be flagged as malicious or added to blocklists for many legitimate reasons, including domain reputation, third-party scripts running on the site (e.g., custom code), site content, and other quality and legal issues that can affect site visitors. However, false positives sometimes occur. For example, legitimate business sites that include content related to cryptocurrency, CBD, or free software may be mistakenly flagged as malicious or unsafe.

Webflow is a secure platform and doesn’t add any malware to hosted sites or have any control over third-party blocklists. If your site was mistakenly flagged as malicious, you can troubleshoot site security issues by scanning your site with safe browsing tools, checking for mixed content, checking your internal network, and/or checking your DNS settings and default domain.

Scan your site with safe browsing tools

We recommend checking your site with Google’s Safe Browsing tool, which returns a site’s current status (i.e., whether a site is currently safe to visit). If your site is marked safe, your site was likely mistakenly flagged, and you can file a security issues report with Google to report the false positive.

If your site is marked unsafe, Google will return a list of security issues you’ll need to correct to remove the flag. Once you’ve fixed any security issues, you can submit a request for a reconsideration review.

You can also check your site with the following tools:

  • VirusTotal — analyzes sites and files to detect malware
  • EasyDMarc — displays domain reputation information and shows if your domain has ever appeared on any blocklists

If your site is marked safe on Google Safe Browsing but flagged on VirusTotal or other tools, these are likely false positives and you can file false positive reports with each security vendor.

Check for mixed content

Most browsers indicate whether a site is secure (i.e., loaded over HTTPS) or insecure (i.e., not loaded over HTTPS) with a “lock” (or “broken lock”) icon next to the site’s address in the URL bar. At times, browsers may show an “info” icon instead, which you can click to view an explanation of the error. Typically, this error will indicate that your connection to the site is not fully secure. This can happen when you have mixed content on your site — that is, your site’s code contains HTTP URLs — that the browser can’t load. These URLs could be in links, custom code, or any link field on your site.

You can use the browser console to find out what mixed content exists on your site. To open the console in Google Chrome, press Command + Option + J (on Mac) or Control + Shift + J (on Windows). The message in the console will identify the HTTP URL. Once you’ve found the HTTP URL(s), you can replace them with the HTTPS version, if it exists.

To avoid issues with mixed content, be sure to use URLs that begin with https:// whenever you paste URLs in these places:

Check your internal network

Some businesses have internal networks that filter and monitor DNS lookups and block certain websites and content, which may mistakenly flag your site as malware. VPNs may also prevent your site from loading.

You can use public DNS resolvers to load your site, rather than relying on the local network’s DNS resolvers. If there are no issues loading your site with public DNS resolution services, you may need to request that your system admin review and update the internal network filters. Removing the internal DNS record from your network may also resolve this.

Note

Your site may also be blocked by Internet Service Providers (ISPs). If your site was marked unsafe by an ISP, you’ll need to reach out to them to report the block.

Check your DNS settings and default domain

Google Ads may flag your site if you haven’t set a default domain. If you’re encountering a malicious software error on Google Ads, first check that your DNS settings are correct and you’ve set and published a default domain.

If the issue persists after setting your default domain and publishing your site, reach out to Google for more information about the errors.

Learn more about security at Webflow.