How to Find Out if Your Website is Hacked?

The work on your website does not stop at its launch, you’re also responsible for its continuous maintenance and that includes securing it from hacking. While most website owners rely on their web host to keep their site secure, vulnerabilities in your website’s code will leave you exposed to the actions of malicious users irrespective of your host’s foresight regarding security. You may believe that your site is too small to count, or that it doesn’t present an interest for hackers, however, this approach does no longer operate – hacking carried out through bots doesn’t necessarily discriminate according to a website’s importance. Therefore, your website doesn’t have to count as important to be exploited by hackers, it just has to present certain vulnerabilities that are specifically targeted by bots.

Sometimes, having your website hacked does not always manifest itself immediately or in an obvious way, so knowing how to check if your site has been hacked can help you identify the problem much sooner and find solutions before any damage occurs.

Ways to find out if your website is hacked:

If you suspect that your website has been hacked, you can take the following measures to check for sure:

Run a malware or virus scan

Reputable web hosting companies have virus scanners built into their control panel. You can use these scanners to scan your website for hacked files. If your hosting company doesn’t have a free scanner tool, there are a number of security tools on the internet like Sucuri or Wordfence. Free scanner tools are not perfect, nor 100% accurate, but they can still give you an idea about whether your site has fallen prey to hacking. Good malware scan tools will present you with a list of malware URLs or hacked pages if your website was hacked.

Monitor site traffic

When monitoring your site traffic, look for traffic spikes in particular. Hacked sites will often experience significant spikes in website traffic. WordPress users will often see an increase in spam comments, other websites will notice an increase in visitors from certain foreign countries. Use website analytics tools to track and monitor these changes. Clicky, Wordfence, Google Analytics can all be helpful in identifying suspicious traffic on your website, and provide valuable insight to details such as where your visitors originate from, their county, language and what pages they visited on your website. Analytics tools are also a useful way to understand your website traffic and optimize your site accordingly. Don’t be afraid to look into the logs provided by your hosting company, as most of the bots that will try to hack your site do not execute or run any JavaScript, and most analytic tools are JavaScript dependent. If you see that some page URLs are accessed excessively e.g. news.php, but they do not show up as much in other analytic tools, this could signal that the page is hit by some automated tool, which might turn out to be harmful.

Use Google Webmaster Tools (Google Search Console)

Google Search Console (formerly known as Google Webmaster Tools) offers a suite of useful tools to website owners. This free service helps website owners monitor their website’s presence in search results and provides useful stats about site visits. If you haven’t signed up for Google Search Console yet, you should absolutely do so if you own a site. You should also enable email alerts in “Search Console Preferences”, thus, you will be informed about problems that Google may detect while indexing your site. This includes sending alerts if your site is infected with malware. This will enable you to fix any problems before Google starts flagging your site as hacked or harmful and starts displaying warning messages about it in search results (e.g. “This site may be hacked” or “This site may harm your computer”).

Inspect your PHP files

A significant number of hacks are due to vulnerable PHP code. Maintaining a tidy file structure that you understand, will make it easier for you to analyze your PHP files and detect hacked files. You can use an FTP program to analyze your files and spot any suspicious files or folders. You can also use source code scanners that will inspect your files for malware patters and let you know if it detects any malware. It’s also advisable to check your .htaccess file for anything suspicious.

Website security best practices

Taking up an active role in your website’s security can go a long way in preventing vulnerabilities that can leave you exposed to hacking attempts. Here are some website security best practices that you can implement to better secure your website against hacking:

Keep things updated

If you’re using an open-source content management system like WordPress, make sure to keep it updated. Same goes for plugins and themes that you use on your site. Developers of plugins and themes will often release updated versions of their products that contain security fixes, so updating these is a critical step that you can take in increasing your website’s security.

Rely on specialized security software

Whether it’s a WordPress security plugin, a malware or virus scanner, a code scanner or website monitoring service, consider investing in services that keep hackers at bay. There are many security services, plugins and web application firewalls like Wordfence or Incapsula that can offer a comprehensive level of security for your site. If your web host supports any type of WAF (Web Application Firewall) you should definitely use it, it will take some time until the WAF learns the normal flow of your websites, but after that you can have a pretty effective generic security solution, which will even catch future attacks, not only the currently known ones. An example of a great and free WAF would be mod_security for example.

Change passwords often

Don’t rely on weak passwords and try to change your password every few months or so. Weak passwords are one of the easiest targets for hackers, so make sure to choose a strong passphrase instead of a simple password.

Proactively monitor your site

Some of the ways to discover whether your site has been hacked are also ways to proactively monitor the security of your site. This includes signing up for Google Search Console email alerts, looking for your site in search results to see if it has been flagged by Google, monitoring website traffic, routinely running scanning software, etc.


At first, maintaining a hack-free website may seem like hard work, but once you develop a good routine, you’ll be able to detect problems in due time and fix them before any extensive damage occurs. It’s better to take a proactive approach to website security than a reactive approach, when things may become too difficult for you to handle, or too expensive to fix. Hopefully our article has managed to raise awareness about the approach you should take to website security and how to go about maintaining a hack-free website.


David Cross

David is the chief editor at WebHostingMedia right from the beginning. He has a great passion for building and managing websites and creating helpful content. He is also interested in programming - currently learning python.