← Back to blog
Performance · 16 January 2026

How to Tell If Your Website Has Been Hacked

How to Tell If Your Website Has Been Hacked

Sometimes it’s obvious. Your homepage is replaced with a skull and crossbones and some message in broken English. But most hacks aren’t like that.

The sneaky ones sit quietly, redirecting your mobile visitors to spam sites, injecting invisible links, or using your server to send thousands of phishing emails. You might not notice for weeks. Meanwhile, Google’s already flagged you, your hosting account’s suspended, and your email reputation is destroyed.

Here’s how to spot the signs before it gets that bad.

The Obvious Red Flags

Let’s start with the stuff that screams “you’ve been hacked”:

Your site looks completely different

Defacement. Someone replaced your content with their own message. Usually political, sometimes just showing off. This is actually the least damaging type of hack because it’s immediately visible. Check your recent backups and restore.

Google shows “This site may be hacked” warning

If you see this in search results, Google’s already detected malicious content. Your organic traffic is about to tank. Check Google Search Console immediately – there’ll be security notifications explaining what they found.

Browser shows red warning page

Chrome, Firefox, and Safari all block sites flagged for malware or phishing. If visitors see “Deceptive site ahead” or “This site contains malware,” you’re on Google’s Safe Browsing blacklist. This is serious and needs immediate attention.

Hosting suspended your account

Hosts monitor for suspicious activity. If they’ve suspended you, check your email for their explanation. Usually it’s either malware, spam being sent from your server, or excessive resource usage from a crypto miner.

The Subtle Signs Most People Miss

These are trickier. Your site looks fine to you, but something’s wrong underneath.

Redirects on mobile only

Classic hack. Desktop visitors see your normal site. Mobile visitors get redirected to spam, fake virus warnings, or dodgy pharma sites. The hackers do this because site owners usually check from desktop.

Test your site on actual mobile devices, not just browser dev tools. Or use Google’s Mobile-Friendly Test and see if it flags anything weird.

Redirects only for search visitors

Another sneaky one. If you visit your site directly, everything’s fine. But click through from Google search results and you’re redirected elsewhere. The malicious code checks the referrer header.

Test by Googling your site and clicking through. Or check in Google Search Console under Security & Manual Actions.

Strange new pages indexed

Search your site on Google: site:yourdomain.com

See hundreds of pages you didn’t create? Spam pages about viagra, casinos, or cheap designer goods? That’s a hack. Attackers create these pages to piggyback on your domain authority for their SEO.

Weird outbound links in your content

View source on a few pages. Search for URLs you don’t recognise. Hackers inject hidden links to boost their own sites. These might be invisible on the page (white text on white background, positioned off-screen, font-size: 0) but they’re in your code.

New admin users you didn’t create

Check Users → All Users in WordPress. Any administrators you don’t recognise? That’s a backdoor account. Delete it, but know that if they got in once, they’ve probably left other ways back in too.

Modified file dates

Core WordPress files shouldn’t change unless you’re updating. If wp-includes files show modification dates from last week but you haven’t updated anything, something’s wrong.

In your hosting file manager or FTP, sort by date modified. Look for recent changes to files that should be static.

Slow site with high server load

Sudden performance drop with no changes on your end? Could be a crypto miner running on your server, or your site being used to attack others. Check your hosting resource usage graphs.

Outbound spam from your domain

If people report getting spam from your email address, or your emails suddenly go to spam folders, attackers might be using your server to send mail. Your domain reputation is being destroyed.

Check your mail server logs if you have access. Look for thousands of outgoing messages you didn’t send.

How to Actually Check for Hacks

Suspecting is one thing. Confirming is another.

1. Google Search Console

If you haven’t set this up, do it now. Google tells you when they find problems.

Go to Security & Manual Actions → Security Issues. If anything’s flagged, Google will show you exactly what they found and on which pages.

Also check Coverage report for weird spikes in indexed pages you didn’t create.

2. Run a Scanner

Sucuri SiteCheck (free): sitecheck.sucuri.net

Scans your site externally for known malware, blacklist status, and suspicious code. It can’t see everything since it only checks what’s publicly visible, but it catches a lot.

Wordfence (WordPress plugin):

Install and run a full scan. It compares your core files against WordPress originals, checks plugins/themes for known vulnerabilities, and scans for malware signatures. The free version is thorough.

VirusTotal: virustotal.com

Submit your URL. It checks against 70+ antivirus engines and security services. Good for seeing if you’re on any blacklists.

3. Check Core File Integrity

WordPress core files should match the official versions exactly. Any modification is suspicious.

Using Wordfence:

After scanning, it shows “modified core file” warnings. Click to see exactly what changed.

Using WP-CLI (if you have SSH access):

wp core verify-checksums

This compares your files against WordPress.org originals. Any mismatch gets flagged.

Manually:

Download a fresh copy of your WordPress version from wordpress.org. Compare key files:

4. Search for Suspicious Code

Malware often uses certain patterns. Search your files for:

eval(
base64_decode(
gzinflate(
str_rot13(
preg_replace.*\/e
assert(
system(
exec(
shell_exec(
passthru(

These aren’t always malicious – some legitimate plugins use base64 – but they’re worth investigating.

If you have SSH access:

grep -r "eval(base64_decode" /path/to/wordpress/

5. Check .htaccess Files

Open your root .htaccess file. It should look relatively simple – permalink rules, maybe some caching or security headers you’ve added.

Red flags:

Also check for .htaccess files in subdirectories. There shouldn’t be many. Attackers drop them in wp-content, wp-includes, and upload folders.

6. Look for Unknown Files

Check these directories for files that shouldn’t be there:

/wp-content/uploads/

Should only contain media files (images, PDFs, etc.). PHP files here are almost always malicious. Search for .php files in your uploads folder.

/wp-includes/

Core files only. No random PHP files with weird names like wp-feed.php or class-wp-temp.php. If you see something unfamiliar, Google the filename – if it’s malware, others will have reported it.

Root directory:

Look for PHP files that aren’t standard WordPress. Files named things like about.php, content.php, or random strings like 8xjf7.php are suspicious.

7. Database Check

Some hacks live entirely in the database.

Check wp_users:

Look for admin accounts you didn’t create.

Check wp_options:

Look for the siteurl and home options. Are they correct? Hackers sometimes change these to redirect your entire site.

Also search for base64 encoded strings or script tags in option values.

Check post content:

SELECT * FROM wp_posts WHERE post_content LIKE '%<script%'

Injected scripts in your posts are common. Also search for hidden iframes and links.

8. Server Access Logs

If you have access to raw server logs (usually in cPanel under Metrics → Raw Access), look for:

This is more advanced, but it can show you exactly how attackers got in and what they accessed.

What Different Hacks Look Like

SEO Spam Hack

Malware/Drive-by Download

Pharma Hack

Backdoor

Credit Card Skimmer (e-commerce)

Quick Self-Check Routine

Run through this monthly:

  1. Google site:yourdomain.com – any weird pages?
  2. Visit your site from mobile – any redirects?
  3. Check Google Search Console for security issues
  4. Run Sucuri SiteCheck
  5. Check WordPress Users list
  6. Look at file modification dates
  7. Verify no PHP files in uploads folder

Takes ten minutes and catches most issues early.

Already Found Something?

If you’ve confirmed a hack:

  1. Don’t delete everything immediately – you’ll destroy evidence of how they got in
  2. Take your site offline if possible (maintenance mode or password protect)
  3. Change all passwords: WordPress, hosting, FTP, database
  4. Document what you find
  5. Check backups – when was the last clean one?
  6. Either restore from clean backup or manually clean the infection
  7. Update everything after cleaning
  8. Submit for review in Search Console if you’re blacklisted

If it’s beyond your skills, professional cleanup services from Sucuri or Wordfence run £150-300. Worth it for business sites where downtime costs money.

The key is catching hacks early. Most site owners only discover issues when Google flags them or their hosting shuts them down. By then, damage is done – to your SEO, your reputation, and potentially your visitors.

Check your site regularly. The signs are there if you know where to look.

Related posts

WordPress Security Basics: The Stuff That Actually Prevents Most Hacks

WordPress Security Basics: The Stuff That Actually Prevents Most Hacks

Performance · 16 Jan