How to tell if your website has been hacked

A small business website can be hacked for weeks before the owner notices. The attacker is usually not interested in defacing your homepage — that draws attention. Modern intrusions are quieter: an injected script that steals credit-card numbers from your checkout, a hidden page that ranks in Google for spam, a webshell that lets someone in whenever they want.

Most signs are easy to spot once you know what to look for. This article walks through the five fastest checks, what to do in the first 24 hours, and how to avoid the most common mistakes.

What are the signs that a website has been hacked?

Five things to look for, in order of how easy they are to miss:

1. Browser warnings on your own site. If Chrome, Firefox, or Edge starts showing a “Deceptive site ahead” or “Dangerous content” warning when you visit your own domain, Google Safe Browsing has already flagged something. Don’t dismiss it — it’s almost certainly real.
2. Sudden traffic drops in Search Console. A 50% overnight drop in organic traffic without a Google update is a red flag. So is a sudden spike in indexed pages you don’t recognise.
3. Login attempts from countries you don’t operate in. If your CMS admin shows logins from another continent, the password is compromised.
4. Unfamiliar admin users. Open the user list. Anyone you don’t recognise is a problem. Attackers often add a second admin account so they can come back after you change the original password.
5. New files in your webroot. PHP files with random names, image files that don’t decode as images, .htaccess rules you didn’t add. Most webshells live in plain sight in the wrong file.

If any of these are present, treat the site as compromised. Don’t wait for a sixth sign.

How do I check if my website is hacked?

There are three quick checks anyone can run, even without technical skills.

1. Run a free public scanner. Sucuri SiteCheck and VirusTotal URL scanner both check your site against malware and blocklist databases. Free, no signup, takes about 30 seconds. They miss things, but if either one flags you, you’re hacked.

2. Check Google Search Console. Sign in, go to Security & Manual Actions → Security Issues. If Google has spotted anything — injected content, hacked URLs, malicious downloads — it’s listed there with details. (If you don’t have Search Console set up, today is the day.)

3. View source on your homepage. Right-click → View Page Source. Skim for <script> tags loading from domains you don’t recognise, especially anything with random characters in the URL or domains hosted on free services. Attackers love loading their payload from script.js on a domain registered last Tuesday.

For a deeper check, a continuous scanner like AuraWatch runs the same checks security professionals run against your site on a schedule and tells you what changed since last time — which is how you catch quiet, persistent compromises that one-off scans miss.

What should I do in the first 24 hours?

In rough order. Move fast, don’t panic.

1. Take a snapshot before you change anything. Download a full copy of the site and the database, with timestamps. You’ll need it for forensics, for restoring later, and for your insurer. Don’t overwrite the existing snapshot when you take a clean one.
2. Change every password. CMS admin, FTP/SFTP, hosting control panel, email accounts that share the password. Use a password manager so you can use long, unique strings.
3. Pull the site offline if you take payments. A maintenance page is far better than a continuing leak of customer data. Talk to your payment processor — Stripe, Square, Worldpay, your POS provider — about whether they need to be informed.
4. Patch what’s outdated. WordPress core, every plugin, every theme. Same for Drupal, Joomla, Magento, anything else. Most compromises start with a known vulnerability in something that hadn’t been updated.
5. Restore from a known-good backup. If you have one from before the compromise, use it. If not, a clean reinstall of the CMS plus your last good content export is faster than trying to clean a hacked site by hand.
6. Reset CMS user accounts. Delete any admin you don’t recognise. Force-reset passwords on the rest.
7. Check your DNS. Attackers sometimes add MX records or subdomain entries you didn’t make. Compare against your last known-good config.
8. Tell the people who need to know. Your customers if their data was exposed (in many jurisdictions this is a legal requirement, not a courtesy), your insurer, your domain registrar if you suspect domain theft, possibly law enforcement.

Things not to do:

• Don’t pay a ransom without talking to law enforcement and your insurer first.
• Don’t try to “find the hacker” or send angry emails — you don’t know who they are, and you might tip off someone with more access than you realise.
• Don’t try to fix the live site in place. You’ll miss things.

How do I stop it happening again?

Three habits cover 90% of small-business website compromises:

1. Patch on a schedule. Every plugin, every theme, every CMS — updated within 30 days of release. Better still, 7 days for critical security patches. A continuous scanner will tell you when you’re behind.
2. Use long, unique passwords plus 2FA on every admin account. A password manager makes this painless. 2FA on the CMS admin is the single most effective control you can add.
3. Run continuous monitoring. A weekly external scan picks up new vulnerabilities, expired certificates, new exposed admin URLs, and content changes you didn’t make. Free scanners give you a snapshot; continuous monitoring tells you when something changes between snapshots, which is when most attacks become visible.

Helpful follow-on reading:

• What an SSL warning actually means
• Website security checklist 2026
• What hackers look for on small business websites in 2026

If your business takes payments online or holds customer information, see how we protect restaurant websites, accountancy firms, or law firms.