All articles
No. 06 Security

How to Tell If Your Website Has Been Hacked: 9 Warning Signs

Most hacked websites don't look hacked. The nine warning signs of a compromised site, how to confirm it, what to do right now, and the external checks that catch the next one in minutes.

Sentinel Team

rootstuff

7 min read

Most hacked websites don't look hacked. Attackers who want your traffic, your SEO authority, or your server resources work hard to stay invisible, and the average compromise goes unnoticed for weeks. By the time Google flags your site or a customer emails "why does your homepage redirect to a casino?", the damage to rankings and trust is already done. This guide covers the warning signs that a site has been compromised, how to confirm it, and how to set up monitoring so the next one is caught in minutes instead of weeks.

The Warning Signs, From Obvious to Subtle

Some compromises announce themselves. Most don't. Watch for:

  • Defaced or altered pages. The classic sign: your homepage replaced with someone else's message. Full website defacement is rarer now than quiet tampering, but it still happens, and every minute it stays up costs trust.
  • Unexpected redirects. Your URL loads, then bounces visitors to a pharmacy, casino, or "you won a prize" page. Redirects are often cloaked to fire only for search traffic or mobile users, so the site can look fine when you check it yourself.
  • Browser and search warnings. Chrome showing "The site ahead contains malware", or Google search results labeling your site "This site may be hacked". By this point Google's crawlers found the infection before you did.
  • SEO spam you didn't write. Search your own site with site:yourdomain.com and look for pages you don't recognize: pharmaceutical keywords, knock-off brand names, or pages in a language you never published. This "SEO spam" hack is one of the most common and quietest.
  • New admin users or changed credentials. An administrator account you didn't create, or a password that suddenly stops working.
  • DNS records that changed without you. DNS hijacking points your domain at a server the attacker controls. Your site is "up", it just isn't yours anymore.
  • SSL certificate changes. A certificate issued by an unfamiliar authority or with unexpected details can mean someone is intercepting your traffic.
  • Traffic and resource anomalies. A sudden crash in organic traffic (Google quietly de-ranking an infected site), or your host warning about CPU and bandwidth spikes because your server is now sending spam or mining crypto.
  • Email suddenly going to spam. If your domain lands on a blocklist because a script on your server is sending junk, deliverability collapses across the board.

How to Confirm a Compromise

Before tearing things apart, verify. Check the site from a different network and device, and as a search engine sees it (cloaked malware often hides from logged-in admins). Run the domain through Google Safe Browsing's site status checker. Review recent file changes on the server, look at your user list, and check DNS records against what you know they should be. If you manage the site for a client, capture screenshots and timestamps before you fix anything; you will want the record.

What to Do Right Now

If you have confirmed a hack, the order of operations matters:

  • Contain. Put the site in maintenance mode or take it offline so visitors stop being served malware.
  • Rotate everything. Hosting, CMS admin, database, FTP/SSH, and registrar passwords, plus API keys. Assume all of them are burned.
  • Restore from a clean backup, then patch: update the CMS, plugins and themes, and remove anything unused. Most compromises come through a known, unpatched vulnerability.
  • Request review. Once clean, use Google Search Console to request removal of the "hacked site" flag, and check blocklists your domain may have landed on.
  • Write down what happened. A short incident writeup turns a bad week into a checklist that makes the next incident shorter.

Why External Monitoring Catches Hacks Faster Than You Will

Almost every sign above is visible from outside the site, which means automated checks can watch for them around the clock:

  • Keyword and content checks assert that a page still contains what it should (your brand name, a known headline) and alert the moment it doesn't. This catches defacement and many redirect hacks on the next check instead of next month. That is exactly what keyword monitoring is for.
  • DNS monitoring records your DNS history and alerts on unauthorized record changes, the fingerprint of a hijack.
  • SSL monitoring flags certificate changes and expirations before browsers scare off your visitors.
  • Uptime checks from multiple regions catch the crashes and slowdowns that often accompany a compromised server.

None of this replaces good security hygiene, but hygiene doesn't tell you when something slipped through. Detection time is the difference between a quiet fix and a de-ranked domain.

Where Sentinel Fits

Sentinel watches the outside of your site for the signs a hack leaves behind: keyword checks that alert when expected content disappears or unexpected content shows up, DNS monitoring with change history for spotting hijacks, SSL certificate monitoring for unexpected certificate changes, and multi-region uptime checks for the outages that follow a compromise. Alerts go to email, SMS, or Slack, so a 3am defacement is fixed before your clients wake up. The free plan needs no credit card, so you can add your first monitor and have these checks running in a few minutes.

Found this useful? Share it

Want to learn more?

Explore our documentation or start monitoring your websites today.