Most website owners don't realize they've been hacked until a visitor tells them, Google flags the site, or their host suspends the account. Attacks aren't always obvious. You might not see a defaced homepage or a ransom note. More often, the signs are subtle, and the damage is happening quietly in the background.
Here's how to tell if your site has been compromised, what to do about it, and how to make sure it doesn't happen again.
Signs Your Website Has Been Hacked
Some of these are obvious, others aren't. Check for all of them if you suspect something is wrong.
Visible Red Flags
- Unfamiliar content on your site. Spam links, foreign-language pages, or pharmaceutical ads injected into your pages are classic signs of a hack.
- Browser warnings. Chrome or Firefox displaying "This site may be hacked" or "Deceptive site ahead" means Google has already detected malicious content.
- Redirects to other sites. If visitors are getting sent to gambling sites, fake tech support pages, or sketchy downloads, malicious code is redirecting your traffic.
- New admin accounts. Check your CMS user list. If there are accounts you didn't create, someone has access to your backend.
Less Obvious Signs
- Sudden drop in search traffic. Google may have de-indexed your site or applied a manual penalty after detecting malware.
- Slow performance. Cryptocurrency miners or spam bots running on your server consume resources and slow everything down.
- Strange server logs. Unusual POST requests to files you don't recognize, especially in wp-content/uploads or temp directories, suggest a backdoor.
- Email blacklisting. If your site is sending spam, your server's IP gets blacklisted. Suddenly your legitimate emails start bouncing.
- Modified files. Core CMS files with recent modification dates that don't match your last update are a strong indicator of tampering.
Immediate Steps After Discovering a Hack
Speed matters. The longer malicious code runs, the more damage it does to your reputation, your SEO, and potentially your visitors.
1. Don't Panic, But Act Fast
Take a breath. Most hacks are recoverable. But every hour of delay means more spam sent from your server, more visitors exposed to malware, and more search engine penalties accumulating.
2. Take Your Site Offline
Put up a maintenance page or enable maintenance mode. This stops the hack from affecting visitors while you clean things up. In cPanel, you can password-protect the directory as a quick measure.
3. Change All Passwords Immediately
Change passwords for everything connected to your site:
- CMS admin accounts (WordPress, Joomla, etc.)
- FTP and SFTP credentials
- cPanel login
- Database passwords
- Email accounts on the domain
Use strong, unique passwords for each one. If you were reusing passwords across services, change those too.
4. Restore from a Clean Backup
If you have a recent backup from before the hack occurred, restoring it is usually the fastest and most reliable fix. Manually cleaning hacked files often misses backdoors that attackers leave behind for re-entry.
After restoring, immediately update all software, plugins, and themes before making the site live again. The vulnerability that let the attacker in still exists in the restored version.
5. Scan and Clean (If No Clean Backup Exists)
If you don't have a pre-hack backup, you'll need to scan and clean manually:
- Run a malware scanner (Wordfence, Sucuri, or ImunifyAV)
- Compare core CMS files against fresh copies from the official source
- Check for unfamiliar files in upload directories, temp folders, and plugin directories
- Review your .htaccess file for suspicious redirect rules
- Search your database for injected JavaScript or iframe tags
6. Identify the Entry Point
Check your server access logs around the time the hack likely started. Look for unusual POST requests, repeated login attempts, or access to files that shouldn't be directly requested. Common entry points include outdated plugins, weak passwords, and vulnerable file upload forms.
After the Cleanup
Request a Google Review
If Google flagged your site, log into Google Search Console and request a review after cleaning the malware. Google typically reviews the request within a few days and removes the warning if the site is clean.
Check Email Blacklists
Use tools like MXToolbox to see if your server's IP landed on any email blacklists. If it did, you'll need to submit delisting requests to each blacklist provider.
Notify Your Users
If user data may have been exposed, be transparent about it. Let affected users know what happened and recommend they change their passwords on your site and any other site where they used the same credentials.
Preventing Future Attacks
Most website hacks exploit known vulnerabilities in outdated software or weak credentials. Prevention isn't complicated, but it requires consistency.
- Keep everything updated. CMS core, plugins, themes, and PHP version. Outdated software is the number one attack vector.
- Use strong, unique passwords and enable two-factor authentication on every admin account.
- Limit login attempts. Brute-force attacks are common. A plugin that blocks repeated failed logins stops most of them.
- Remove unused plugins and themes. Even deactivated plugins can contain exploitable code.
- Set correct file permissions. Directories should be 755, files should be 644. Never set anything to 777.
- Keep regular backups. Automated daily backups stored offsite give you a clean restore point whenever you need one.
SpectraHost plans include automated daily backups and server-level malware scanning, so you have both a safety net and an early warning system built in.