How to Check if a Website Was Hacked
If you suspect compromise, the fastest way to confirm it is to look for a pattern of technical, visual, and behavioral changes across the site.
This guide explains how to check if a website was hacked, what signs matter most, and which tools help you verify the problem quickly.
A website intrusion is not always obvious at first.
Attackers often hide malware, inject spam links, alter redirects, or create backdoor access that remains invisible until search engines, customers, or hosting logs reveal the damage.
Early Warning Signs of a Hacked Website
The clearest indicators usually show up in content, redirects, SEO performance, or server behavior.
A single symptom may have a harmless explanation, but several together strongly suggest compromise.
- Unexpected redirects: Visitors land on unrelated, spammy, or malicious pages.
- New pages or posts: Unknown content appears in WordPress, Drupal, Joomla, or a custom CMS.
- Defaced homepage: Visible text, layout, or branding changes without approval.
- SEO traffic drops: Search rankings decline suddenly because of injected pages, cloaking, or blacklisted links.
- Browser warnings: Chrome, Firefox, or Safari shows “Deceptive site,” “This site may be hacked,” or malware alerts.
- Unusual user accounts: Admin, editor, or FTP accounts appear that no one created.
- Slow performance or outages: Malicious scripts, bot activity, or resource abuse can degrade performance.
Check the Site From the Outside First
Start with what visitors and search engines see.
External checks help you confirm whether the issue is public-facing, search-related, or limited to the server.
Use a clean browser session
Open the site in an incognito window or a different browser to rule out cached pages, extensions, or saved sessions.
Then compare the live site to your expected layout, navigation, and content.
Look for redirect behavior
Visit the homepage, key landing pages, and login page.
If the URL changes unexpectedly, if a page reloads multiple times, or if mobile and desktop behavior differs, that can indicate a compromise such as JavaScript injection or .htaccess tampering.
Run a public safety check
Use Google Safe Browsing, the Norton Safe Web database, or VirusTotal URL scanning to see whether the domain has been flagged.
These tools can identify malicious code, phishing content, or hosting with a poor reputation.
Inspect the Website Files and Code
Once external symptoms point to trouble, examine the site’s files.
File-level changes are often the fastest way to find malware, injected scripts, or unauthorized edits.
Review recent file modifications
Check timestamps in your hosting control panel, SFTP client, or command line.
Files modified outside your normal deployment window deserve immediate attention, especially in directories such as /wp-content/, /assets/, /includes/, or server config folders.
Search for suspicious code patterns
Common indicators include encoded strings, obfuscated JavaScript, unfamiliar iframes, and PHP functions used for remote execution.
Watch for terms such as base64_decode, eval, gzinflate, or long, unreadable character blocks inserted into templates.
Compare against a clean backup
If you have a known-good backup, compare it against the live version.
File diffs often reveal the exact lines that were added, removed, or altered.
This is especially useful for CMS themes, plugins, and custom scripts.
Check CMS Users, Plugins, and Admin Access
Many compromises begin with stolen credentials, weak passwords, or vulnerable plugins.
If the attacker gained admin access, they may leave behind new accounts or manipulate settings to maintain persistence.
- Review all administrator, editor, and FTP users.
- Remove unknown accounts immediately.
- Check for recently installed plugins, themes, or extensions.
- Inspect plugin settings for unauthorized webhooks, redirects, or code snippets.
- Reset passwords for CMS, hosting, database, and email accounts.
In WordPress, pay special attention to the users table, active plugins, wp-config.php, and any custom code in theme files.
In other platforms, look for equivalent admin roles, API tokens, and access keys.
Review Logs for Suspicious Activity
Logs provide the timeline you need to identify when the attack happened and what it changed.
Hosting access logs, application logs, and security plugin logs can reveal brute-force attempts, bot traffic, file uploads, or unauthorized admin actions.
What to look for in logs
- Repeated login failures from the same IP address
- Unexpected POST requests to admin or upload endpoints
- File changes that match suspicious timestamps
- Requests to obscure PHP files, shell scripts, or plugin vulnerabilities
- Outbound traffic to unfamiliar external domains
If your server supports centralized logging, correlate web server logs with CMS audit logs and authentication events.
This often shows whether the intrusion came from stolen credentials, a vulnerable extension, or direct server access.
Check Search Engines and SEO Signals
Hackers often abuse websites for SEO spam, link injection, or doorway pages.
Search engine clues can expose issues even when the public site looks normal.
Use Google Search Console
Inspect Security Issues, Manual Actions, and Indexing reports.
Search Console may report hacked content, spammy snippets, or pages removed from results due to malware.
Coverage errors and sudden indexing spikes are also worth investigating.
Search for strange indexed pages
Use a query like site:example.com and scan for unfamiliar titles, foreign-language pages, or pages with suspicious query strings.
If search results show pages you never published, you may be dealing with injected content or automated spam generation.
Check for Backdoors and Persistence
Removing the visible malware is not enough if the attacker planted a backdoor.
Backdoors allow reinfection after cleanup and are a common reason hacked sites keep getting compromised again.
- Look for recently created PHP files in uploads or cache folders.
- Inspect cron jobs, scheduled tasks, and server-side automation.
- Review hidden or oddly named files in web root and subdirectories.
- Check .htaccess, web.config, and other rewrite files for malicious rules.
- Audit database entries for injected scripts or spam links in posts, widgets, and options tables.
A recurring infection pattern usually means the attacker still has a foothold somewhere in the stack.
Verify Server, DNS, and SSL Settings
Not every compromise starts in the application layer.
DNS hijacking, unauthorized SSL changes, or hosting account abuse can also make a site behave as if it has been hacked.
- Confirm the domain’s DNS records point to the correct host.
- Check for recent changes to A, CNAME, MX, and nameserver records.
- Verify the SSL certificate issuer and renewal history.
- Review hosting account activity and support tickets for unauthorized changes.
If visitors are being sent to another server, the issue may be at the registrar or DNS provider rather than inside the CMS itself.
Tools That Help Confirm a Hack
Several reputable tools can speed up diagnosis without requiring deep manual inspection.
Each one provides a different view of the problem.
- Google Search Console: Security, indexing, and manual action data.
- VirusTotal: URL reputation and known-malware indicators.
- Sucuri SiteCheck: Public malware and blacklist scanning.
- Wordfence or similar security plugins: File integrity checks and login alerts.
- Hosting logs and audit tools: Access patterns, file changes, and admin activity.
Use more than one tool.
A single scanner may miss obfuscated malware, but multiple signals often confirm the compromise.
What to Do Immediately After You Confirm It
Once you verify a hack, prioritize containment before cleanup.
The goal is to stop further damage to visitors, search visibility, and connected systems.
- Take the site offline or place it in maintenance mode if malicious content is active.
- Change passwords for CMS, hosting, FTP, SSH, database, registrar, and email accounts.
- Preserve logs and a backup copy of the infected site for investigation.
- Remove unknown users, files, redirects, and injected scripts.
- Restore from a clean backup if available and patch the vulnerability that allowed entry.
- Rescan the site and request review in Google Search Console if blacklisted or flagged.
Document everything you change.
If the site handles payments, personal data, or customer accounts, involve your hosting provider, security team, or incident response vendor right away.
How to Reduce the Chance of a Repeat Attack
After recovery, harden the site so the same weakness cannot be reused.
Strong preventive controls matter as much as malware removal.
- Keep the CMS, plugins, themes, and server software updated.
- Use unique, strong passwords and multifactor authentication.
- Limit admin access to only the people who need it.
- Install file integrity monitoring and login alerts.
- Back up the site regularly and store backups offsite.
- Remove unused plugins, themes, and old accounts.
- Use a web application firewall to block common exploits and bots.
Consistent monitoring is the most practical way to catch compromise early.
The sooner you know how to check if a website was hacked, the faster you can contain the incident and restore trust.