Editorial: This post was last updated June 21st, 2022
It’s a day every website owner fears. You open the website you’ve poured your time, energy, and money into, only to find your home page looking very different.
After your stomach sinks and you take a long gasp, you’ll likely shout out in frustration, “My website is hacked! What do I do!?”
But not every website hack will be this obvious. While some hackers are motivated by vandalism, most want to keep a low profile. By doing this, they can exploit your site’s good standing by injecting spam, redirect visitors to scam sites, and steal your customers’ credit card information. Hackers can also use a compromised website to distribute malware, attack other sites, and send spam emails.
The hackers are hoping you won’t notice what they’ve done to your site. But with a couple tips, we can help you know what kind of hack you’re dealing with, and how to take care of it.
How to check if a site has been hacked
There are several ways to check if your website has been hacked. You’ll want to start by being familiar with your website’s functionality, and take note if anything is amiss. It is also helpful to listen to your visitors if they report anything odd.
Some signs you’ve been hacked may include redirected traffic and unexpected popups. If you or your visitors observe this behavior, it is likely you were hacked. However, you’ll need to verify that it is not a problem specific to you or the visitor’s browser.
1. Website warnings in your favorite browser
If your browser is displaying a warning when you try to view your website, changes are you’ve been hacked. It may also indicate that you’ve been blacklisted by a known authority like Google.
2. Notifications in Google Search Console
Linking your domain to Google Search Console will ensure you receive important notifications — including notices to let you know if a hack has been detected. Check the Security Issues report to identify if Google has detected malicious behavior.
3. Slow or unresponsive website pages
Some types of malware are resource hogs. Navigate through your website or check analytics to investigate whether any pages have suddenly become slow to load or unresponsive.
4. Unwanted redirects or ads
Loads of hackers inject malicious redirects to send your site traffic to spam or phishing pages. This allows them to hijack your visitors and improve their own SEO. If you or your visitors are being redirected to ads or scam pages, it’s a sure sign of an infection.
5. Can’t log in to admin panel
An attacker might remove CMS admins and other users to prevent access. If you’re suddenly unable to log in, try resetting your password. If you still can’t access your admin panel, your user account may have been deleted.
6. Using Google to check for site hacks
You can use Google to see if your website has been hacked by checking your site for spam keywords. Open up Google and search for your website. If you see keywords for topics like pharmaceuticals or designer watches, and you didn’t put them there, then your site is hacked.
Notice how Google’s results in that screen capture note says,
“This site may be hacked?”
If you see that in your results, it means your site was compromised long enough that Google has blacklisted it. We’ll talk a bit more about that later.
In the meantime, you’re probably thinking, “If Google says my site is hacked, how do I find out how to fix it?” Well, the next step is identifying exactly what kind of a website hack you’re dealing with.
7. Scan your site remotely with SiteCheck
You can scan your site with Sucuri’s free SiteCheck tool. It is a remote scanner that will take a deep look at your website from the outside to detect malware infections, as well as other issues affecting your website security.
While SiteCheck can detect many types of malware in public-facing website applications, it will not be able to detect any malware that hackers have installed and kept hidden behind the scenes on your server. For a more complete website scan, you will need to use a server-side scanner.
Google says my site has been hacked. Now what?
When Google says your site has been hacked, it means they have blacklisted it. Google will mark your site as hacked and inform any visitors of the problem with a splash page when visitors arrive.
Having a blacklisted website can be devastating. Blacklisted websites can lose up to 95% of organic traffic. The warning messages will cause significant damage to your site’s reputation. As a result, you’ll want to get your site cleaned, and then request that Google remove the blacklist warnings.
However, Google is not the only blacklisting authority. There are several authorities that will blacklist hacked websites, including McAfee, Norton, and Spamhaus. You’ll also want to check with each of them to see how widespread your website’s blacklist has become. This can be a bit more legwork, so you may consider using the blacklist removal feature of Sucuri’s website security platform to streamline the process.
How to clean up a hacked site and protect it
When hackers infect your site, you have two options: clean it up yourself or bring in a professional. You’ll want to consider your level of skill before deciding on which route to take.
A DIY cleanup may require altering code to core files of your website’s content management system (CMS) and your database. Incorrect code may cause your website to stop functioning. If at any point you feel uncomfortable about the process, it is best to call in a professional for help.
To clean up your hacked website yourself, you’ll need to complete these steps. For further details, check out our Hacked Website Guide:
Back up everything first!
Because modifying the code in your CMS or database can cause damage if you make any mistakes, a backup is crucial for reverting any changes. You can store the contents of your site as a ZIP file – but do not store the file on your web server.
Locate the malware
Figuring out what you need to clean when your website is hacked can be tricky. Hackers can insert malicious code in many different places, including core files, themes, plugins, your database, advertising networks, or the server itself. You’ll need to check the integrity of all files and your server to determine what needs cleaned.
Remove malicious code and files
Once you detect the malware, you’ll need to remove it. This entails replacing any affected files with clean versions from a backup or deleting any malicious code. After each change you make, test your website to make sure it is still functioning.
On top of the malicious code, hackers also leave methods for reinfection. We call these “backdoors,” and hackers are finding new methods to implement them all the time. In most cases, backdoors are files, such as a secret uploader, or a script that can run any PHP code the attacker provides. Check which files were recently modified on your server and logs to see if there are any strange files accessed from unfamiliar IP addresses. Assess all your users with edit access to the site and remove any you don’t recognize.
Remove site from blacklists
The website will need to be removed from any sites that have it blacklisted. You will have to contact each authority and request a review from them.
Update software / patching
Vulnerabilities need to be patched and all software updated. If login credentials were compromised, then those need to be updated in order to protect the website going forward.
Hackers create new types of backdoors all the time, so finding them may be difficult. Yet it is imperative to find them all, as leaving any behind will allow the hackers to reinfect your site.
If you’re feeling unsure of your ability to find everything the hackers may have left behind, you may want to go with a professional cleanup. Sucuri’s team of researchers are up to date on the latest vulnerabilities and malware families, including new backdoor types.
How to prevent being hacked again
There are a number of easy steps you can take to prevent being hacked again.
Set up multifactor authentication
Strengthen your website by enabling two-factor or multifactor authentication. Sucuri’s Website Security Platform includes a feature that helps you easily password protect or implement 2FA on any page of your website.
Use strong credentials and a password manager
Password lists are often used by attackers to brute force websites. By simply using strong, unique passwords for all of your accounts, you can improve the security of your website.
Many modern password managers come with generators, making it easy to create and securely store encrypted passwords for your use.
Keep your software updated
Hackers regularly exploit software vulnerabilities to gain unauthorized access to environments. Software defects make it possible for them to succeed.
Keeping your software up to date can help mitigate a plethora of nasty exploits like cross-site scripting (XSS) attacks, broken access control, insecure deserialization, broken authentication, or other security bugs.
Always keep your website software updated with the latest security patches to mitigate risk and thwart attackers.
Remove unused themes or plugins
You’ll want to assess the security of any plugins and themes currently installed on your website. Review important indicators like install base, user reviews, or ownership changes.
And remember — less is always more when it comes to unused plugins or themes. Even if a plugin or theme is disabled and not actively used on your website, it can still result in a hack.
Learn more about Sucuri’s website hack protection
Dealing with a hack is rough for any website owner. But don’t panic! You can get your website back up and running safely, whether you do it yourself or get help.
But once your site is cleaned, you’ll want to keep it that way. Our website security solutions can help keep the hackers away and give you more time to focus on delivering quality content to your visitors.
Need immediate help? Chat with us now.