Avast is blocking my site

[Christopher93]

Hello,
A user has reported that they can't access my site (handsupholidays.com), as it is blocked by Avast Web Shield, and regarded as a threat URL:scam

See screenshot

I don't know what block.charter-prod.hosted.cujo.io - is, is this part of Avast?

Can anyone help me understand why my site is being blocked, and how can I overcome this?

Thanks!

[DavidR]

It has nothing to do with Avast.  I have no idea what the &token element at the end of the URL in your image does.
There is a possibility that one of your 3rd party links could be triggering this.

One other AV Webroot also detects something "Phishing and Other Frauds" in the details section of the scan
https://www.virustotal.com/gui/url/1bcc55f45da6f08a3b970504ad6753df2e2a270b126ba08a6ff14a7c4352bf3a/details
Some security issues reported here - https://en.internet.nl/site/handsupholidays.com/2355585/
Considered a low risk here - https://sitecheck.sucuri.net/results/handsupholidays.com - with some hardening improvements.

-  Reporting a Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php.
You should get a response in a day or two.
-  This may or may not be what Avast is alerting for - but you should certainly address the points raised in the above scans.

[Christopher93]

Thank you so much @DavidR - you are awesome!

I can see that this link you sent ( https://en.internet.nl/site/handsupholidays.com/2355585/) and the Sucuri link has identified some security issues - do you have recommendations as to who I can hire to resolve these?

On the VirusTotal link you sent, a security vendor named Webroot has labelled my site as malicious...do you know if I can reach out to them and ask Webroot to re-check?

And does it make a difference at all that on VirusTotal, the 'text/html' is http://handsupholidays.com/
handsupholidays.com
and not https://handsupholidays.com/
when further down it refer to the https?

Thank you so much!

[DavidR]

As an Avast User and not Avast Team Member I can't really suggest a company.  Really whoever hosts the site or designed the site would be a good start.

Please break all active links to suspect site to avoid accidental exposure the http and https elements or use htxp or htxps. 
Part of the problem is that there isn't an automatic switch to a secure connection https as in my second link.  So it isn't just because of the http and https elements, it is the domain, just that it is less secure when using http.

[polonus]

Word Press CMS seems OK. Configuration also with no glitches.

Check on plug-ins for latest:

The following plugins were detected by reading the HTML source of the WordPress sites front page.

Plugin   Update Status   About
wp-rocket    Unknown   
elementor-pro    Unknown   
chatbase    Unknown   latest release (1.0.2)
-https://www.chatbase.co
ultimate-elementor    Unknown   
embed-calendly-scheduling    Unknown   latest release (3.6)
essential-addons-for-elementor-lite    Unknown   latest release (5.8.9)
-https://essential-addons.com/elementor/
elementor    Unknown   latest release (3.16.4)
-https://elementor.com/
Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.

Is it phish? - We think this is safe!
99.8% Legitimate
0.2% Phishing
But 2 to flag here: https://www.virustotal.com/gui/url/292b12f9476ed22bc43085e98c3aa28fcb6ddc1e395b14a33dd0686f6c17fa65

Hardening - Hardening Improvements
Protection
No website application firewall detected. Please install a cloud-based WAF to prevent website hacks and DDoS attacks.

Security Headers
Missing security header for ClickJacking Protection. Alternatively, you can use Content-Security-Policy: frame-ancestors 'none'.

Missing security header to prevent Content Type sniffing.

Missing Strict-Transport-Security security header.

Missing Content-Security-Policy directive. We recommend to add the following CSP directives (you can use default-src if all values are the same): script-src, object-src, base-uri, frame-src  (info-credits Sucuri's.)

Avast now says - everything OK -

Mind to check: Link 'rel' attribute should include 'noopener'.
-https://handsupholidays.com/:444:4997
<a class="elementor-icon elementor-social-icon elementor-social-icon-facebook elementor-repeater-item-a4a2d2d" href="-https://www.facebook.com/luxuryvoluntourism/" target="_blank">
-https://handsupholidays.com/:444:5667
<a class="elementor-icon elementor-social-icon elementor-social-icon-twitter elementor-repeater-item-02700a8" href=
"-https://twitter.com/handsupholidays" target="_blank">
-https://handsupholidays.com/:444:6852
<a class="elementor-icon elementor-social-icon elementor-social-icon-instagram elementor-repeater-item-764807a" href=
"-https://www.instagram.com/handsupholidays/" target="_blank">

&

Link 'rel' attribute should include 'noopener'.
-https://handsupholidays.com/:444:4997
<a class="elementor-icon elementor-social-icon elementor-social-icon-facebook elementor-repeater-item-a4a2d2d" href=
"-https://www.facebook.com/luxuryvoluntourism/" target="_blank">
-https://handsupholidays.com/:444:5667
<a class="elementor-icon elementor-social-icon elementor-social-icon-twitter elementor-repeater-item-02700a8" href=
"-https://twitter.com/handsupholidays" target="_blank">
-https://handsupholidays.com/:444:6852
<a class="elementor-icon elementor-social-icon elementor-social-icon-instagram elementor-repeater-item-764807a" href=
"-https://www.instagram.com/handsupholidays/" target="_blank">
Security glitches detected through Hint scan (info-credits go out to Hint) via developer's console info.

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)