Google Tag Manager, Malware detection and tags not firing

Posted 4 years ago by Dmitry Klymenko

3 Minute(s) to read

dk post social

Have you ever been frustrated by attempting to visit a particular website, only to discover a red page with the text stating “malware detected” instead? Believe it or not, but this is Google's way of keeping you safe.

Nowadays, websites are not the only things at risk of malware infection. Theoretically, tags may also contain JavaScript malware. According to (Trends, Intelligence and Internet Research company), up to 20% out of the top 10,000 websites that are most frequently visited, are using Google Tag Manager and lets face it... Google Tag Manager is a very effective way to hack your own website. In fact, this is the exact the reason behind why we are using it.


We ‘fire tags’ ( add or remove JavaScript) to a website page based on events, current time, or any other possible marketing triggers. Google Tag Manager (GTM) helps to deliver tags without involving a website development team (which we all know could take days, if not weeks).

GTM is a very powerful tool in the hands of a Digital Analyst. However in rare situations, it can technically be misused to deliver harmful malware content to the websites visitors. Thanks to Google and its new security feature, it is now less risky.

On more than one occasion I have come across false malware warnings. The website was absolutely legit and there was no malware whatsoever. Yet, it was still detected and flagged and users struggled to visit it. Can this also happen to your completely legit Google Tag Manager container? Well, I can think of at least one situation where this is possible.

Let's say your custom HTML Tag requires a third-party jQuery (a very popular JavaScript library) plug
in to do exactly what you need it to. You include that plugin using
<script src='external-domain' > HTML tag and publish your container. Weeks later, the original website of the jQuery plugin was marked as malware and subsequently, so was your container.

In a recent security update Google have advised that if your tag references a malware flagged domain, it may stop firing as well as flag the entire container. Consequently, you will end-up losing analytics data and this is not good. Not good at all.

I'd personally like Google to provide a more detailed explanation on how this new security enhancement will work. Don't get me wrong - I am all for safe browsing and reducing potential risks! It is a very important thing to do.

So if you have a GTM container full of tags - what can you do to stay on the safe side?

  • Stick to the built-in tags, think twice before using Custom HTML Tags and think 10 times before allowing it to use document.write

  • Be very careful with including external JavaScripts in your tags

  • Black-list Custom HTML tags on website pages where you are not using Custom HTML Tags

  • Enable two-step verification on the Google Account you use to access GTM

  • Periodically review your tags

  • Never use external scripts (or scripts you don't know what they are doing) on a secure payment pages with sensitive data

Talk to Internetrix if your website and/or your GTM container tags get flagged as malware. We will do a complete security and technical audit and remove or fix malicious tags (if any) and ensure your data collection is up and running.