Chrome displaying RED screen saying "Deceptive site ahead"

I’ll show you with some screenshots attached. Google specifically indicates that it detected social engineering content at the / and /index.php URLs.

My point about setting up monitoring is this: If a site owner already has Google Search Console set up for their site, Google notifies them by email when it detects a security issue, and the owner can respond faster. So if many Matomo installations are being flagged as deceptive it makes sense to provide some advice about it during installation.

Thanks for providing these screenshots, they are helpful.

I just re-read all the thread starting from the beginning and I see (I think) why I got even more confused:

  • thread started with Matomo being flagged as a subdomain
  • other users report Matomo server used on multiple domains being flagged (all seem to be Wordpress domains)

In your case @Liam_Hennessy you are using a domain that has Matomo JS code on it, but that Matomo is on a separate server and domain right? (you are not using a subdomain on the same domain for Matomo correct?)

You are correct about this, a site owner would be able to see this faster if the Matomo installations are being flagged.

Once I get a bit of spare time, I am gonna do some tests on this to see if I get the same error like you guys.

Correct me if I am wrong, but as I asked before, but in your screenshot you are using Matomo on a separate domain and server than the domain that has Google Search Console, correct?

Thanks!

Yes, my site and my Matomo are on separate domains. The site loads the tracking JS from the Matomo domain. When Google flags a domain as dangerous, it can take many hours to fix. My site’s domain was not flagged, and my matomo domain was, so I was able to remove the tracking code from the site, and my site loaded ok for everyone immediately.

1 Like

Just to give you some confidence, we had a user with this same problem this week. They reported the false positive to Google Safe Browsing and Matomo was safelisted later that same day. Malware no more.

Speaking only for myself, it doesn’t seem unreasonable for G to be cautious on this: a file called “matomo.js”, full of JS listeners sending data to an API could look more or less suspicious depending on what the API looks like on your server setup. And G takes things into account like the holistic reputation of your server and even your IP address neighborhood (adjacent IP addresses to yours).

Glad that the safelisting is a fast and, based on emails, more or less permanent fix.

Links for safelisting:
The google safe browsing list. You can check here:
https://transparencyreport.google.com/safe-browsing/search

And report an incorrectly blocked site here:
https://safebrowsing.google.com/safebrowsing/report_error/?hl=en

1 Like

Thanks for the explanation and details Liam!

Hii, I’m sorry, but this issue hasn’t been resolved yet, and we can only address it retroactively. We are planning to transition some customers to Matomo soon, and we’re concerned that this might lead to a customer’s main domain being flagged on the phishing list, which would be quite embarrassing for all of us.

I’ve discovered that it’s possible for crawlers to ignore the robots.txt file, crawl the Matomo instances, and classify them as potential phishing threats. As a result, we are implementing a proxy in front of our Matomo instances. This proxy allows us to override the default Matomo robots.txt with “User-Agent: *
Disallow: /” and also directly block (returning a 404) certain crawlers that we’re familiar with. This way, we aim to ensure that these crawlers won’t crawl Matomo.

Does anyone have experience if this approach can help prevent the domains from being flagged?

I’ve also noticed that this issue tends to occur with customers whose domains are relatively new (around 2 years old). With customers that have been established for a long time, we’ve been fortunate enough to avoid this problem.

Thanks!

Hi @2A005D
Don’t hesitate to post any finding or new question to the related GitHub topic:

1 Like