Is My Site Hacked?

It’s a day every website owner fears. You open the website you’ve poured your time, energy, and money into, only to find your home page looking very different.

Defaced websites
Example of a defaced website

After your stomach sinks and you take a long gasp, you’ll likely shout out in frustration, “My site has been hacked! What do I do!?”

DevOps Connect:DevSecOps @ RSAC 2022

But not every website hack will be this obvious. While some hackers are motivated by vandalism, most want to keep a low profile. By doing this, they can exploit your site’s good standing by injecting spam, redirect visitors to scam sites, and steal your customers’ credit card information. Hackers can also use a compromised website to distribute malware, attack other sites, and send spam emails.

The hackers are hoping you won’t notice what they’ve done to your site. But with a couple tips, we can help you know what kind of hack you’re dealing with, and how to take care of it.

How to check if my site is hacked

There are several options for finding out if your site is hacked. You’ll want to start by being familiar with your website’s functionality, and take note if anything is amiss. It is also helpful to listen to your visitors if they report anything odd.

Some dead giveaways of a website hack may include redirected traffic and unexpected popups. If you or your visitors observe this behavior, it is likely you were hacked. However, you’ll need to verify that it is not a problem specific to you or the visitor’s browser.

To do this, you’ll need to check your site for spam keywords. Open up Google and search for your website. If you see keywords for topics like pharmaceuticals or designer watches, and you didn’t put them there, then your site is hacked.

Example of pharma spam
Example of pharma spam

Notice how Google’s results in that screen capture note says,

“This site may be hacked?”

If you see that in your results, it means your site was compromised long enough that Google has blacklisted it. We’ll talk a bit more about that later.

In the meantime, you’re probably thinking, “If Google says my site is hacked, how do I find out how to fix it?” Well, the next step is identifying exactly what kind of a website hack you’re dealing with.

You can scan your site with Sucuri’s free SiteCheck tool. It is a remote scanner that will take a deep look at your website from the outside to detect malware infections, as well as other issues affecting your website security.

While SiteCheck can detect many types of malware in public-facing website applications, it will not be able to detect any malware that hackers have installed and kept hidden behind the scenes on your server. For a more complete website scan, you will need to use a server-side scanner.

Google says my site has been hacked. Now what?

When Google says your site has been hacked, it means they have blacklisted it. Google will mark your site as hacked and inform any visitors of the problem with a splash page when visitors arrive.

Example of a blacklisted page warning
Example of a blacklisted page warning

Having a blacklisted website can be devastating. Blacklisted websites can lose up to 95% of organic traffic. The warning messages will cause significant damage to your site’s reputation. As a result, you’ll want to get your site cleaned, and then request that Google remove the blacklist warnings.

However, Google is not the only blacklisting authority. There are several authorities that will blacklist hacked websites, including McAfee, Norton, and Spamhaus. You’ll also want to check with each of them to see how widespread your website’s blacklist has become. This can be a bit more legwork, so you may consider using the blacklist removal feature of Sucuri’s website security platform to streamline the process.

How to clean up my hacked site and protect it

When hackers infect your site, you have two options: clean it up yourself or bring in a professional. You’ll want to consider your level of skill before deciding on which route to take.

A DIY cleanup may require altering code to core files of your website’s content management system (CMS) and your database. Incorrect code may cause your website to stop functioning. If at any point you feel uncomfortable about the process, it is best to call in a professional for help.

To clean up your hacked website yourself, you’ll need to complete these steps. For further details, check out our Hacked Website Guide:

    • Back up everything first! – Because modifying the code in your CMS or database can cause damage if you make any mistakes, a backup is crucial for reverting any changes. You can store the contents of your site as a ZIP file – but do not store the file on your web server.
    • Locate the malware – Figuring out what you need to clean when your website is hacked can be tricky. Hackers can insert malicious code in many different places, including core files, themes, plugins, your database, advertising networks, or the server itself. You’ll need to check the integrity of all files and your server to determine what needs cleaned.
    • Remove malicious code and files – Once you detect the malware, you’ll need to remove it. This entails replacing any affected files with clean versions from a backup or deleting any malicious code. After each change you make, test your website to make sure it is still functioning.
    • Remove backdoors – On top of the malicious code, hackers also leave methods for reinfection. We call these “backdoors,” and hackers are finding new methods to implement them all the time. In most cases, backdoors are files, such as a secret uploader, or a script that can run any PHP code the attacker provides. Check which files were recently modified on your server and logs to see if there are any strange files accessed from unfamiliar IP addresses. Assess all your users with edit access to the site and remove any you don’t recognize.
    • Remove site from blacklists – The website will need to be removed from any sites that have it blacklisted. You will have to contact each authority and request a review from them.
    • Update software / patching – Vulnerabilities need to be patched and all software updated. If login credentials were compromised, then those need to be updated in order to protect the website going forward.



Hackers create new types of backdoors all the time, so finding them may be difficult. Yet it is imperative to find them all, as leaving any behind will allow the hackers to reinfect your site.

If you’re feeling unsure of your ability to find everything the hackers may have left behind, you may want to go with a professional cleanup. Sucuri’s team of researchers are up to date on the latest vulnerabilities and malware families, including new backdoor types.


Dealing with a hack is rough for any website owner. But don’t panic! You can get your website back up and running safely, whether you do it yourself or get help.

But once your site is cleaned, you’ll want to keep it that way. Our website security solutions can help keep the hackers away and give you more time to focus on delivering quality content to your visitors.

*** This is a Security Bloggers Network syndicated blog from Sucuri Blog authored by Justin Channell. Read the original post at: