Most people have discovered their site is hacked because their browser is alerting them when they visit their own site, or their hosting provider took their site offline. This is disastrous because it means that your site has been infected long enough for the hackers to do damage. The damage they did caused a hosting provider to shut off the site or caused Google to detect that the site is hosting malware, SEO spam or a phishing attack.
This is why we encourage all of our customers to check their website regularly and invest in security for their sites. You can use Wordfence for WordPress websites or one of the many alternative products out there, but it’s important that you have a way to be alerted when your files change, malware is detected or other suspicious activity occurs.
Let’s identify the various ways you can detect or discover that your site has been hacked. The best monitoring tools have a delay between each site check or scan. So you may find that you discover that you have been hacked from an outside source. Let’s review some of the ways you may discover a site you own has been hacked. We are discussing these because they are all sources of data you can use to proactively monitor your site health.
Your Web Browser Alerts You To The Hack
If one of your visitors (or you) see one of the following warnings in Chrome, your site has likely been hacked and infected with malware.
The above warning indicates that your site has been used in phishing campaigns. A victim is emailed a URL that contains a link to your website. A hacker is using your website to host malware that tricks the victim into taking some action that the hacker wants when they visit your site.
The above warning indicates that your site is hosting malware. A hacker has gained access to your site, installed malware on the site and is infecting machines belonging to your site visitors.
Your Hosting Provider Takes Your Site Offline Because it is Hacked
In this case your host may have received reports from site visitors
that your site has been hacked, their own automated security tools may
have alerted them or they may have received alerts from automated
systems outside their own company. In either case, they will usually
immediately take your site offline.
Your host will usually notify you via email that your site has been taken offline.
Google Search Results Flag Your Site as Hacked or Harmful
Google often simply removes hacked sites from search results. But in
some cases the site may still be listed, but will be flagged with a
message saying that “This site may be hacked” or “This site may harm
your computer”. When you click through to the website using Chrome, the
browser will provide one of the warnings above. User’s using a different
browser may receive no warning, which is why the warning is also
included in the search results.
“This site may be hacked” means that Google detected something out of
the ordinary on your site, such as unusual changes to existing pages or
adding new ones with SEO spam or redirects. These sites do not
typically display the standard Google malware warning page.
“This site may harm your computer” means that Google has detected malware on the site and if you visit the site, you do so at your own risk and you will see the Google malware warning if you click through which is meant to alert you that the site is currently unsafe.
Google’s Search Console Alerts you to Malware on Your Site
If you run a website you should immediately set up Google Search Console if you have not already. It will alert you to problems Google may encounter when indexing your site and will provide you with stats showing your site visits via search.
Search Console can email you alerts about your site including if it
detects that your site is infected with malware. Go to “Search Console
Preferences” and enable email alerts there. This will notify you
immediately when Google detects malware on your site and you may be able
to fix the problem before they start displaying warnings.
If you are signed-in to Search Console, visit the “Security Issues” panel and if you see a warning similar to the one below, it indicates that your site is infected.
Your Malware Scanner Alerts you to an Infection or Hack
If you’re using Wordfence or another malware scanner, you may receive
an alert that you have been infected. This is the preferred method of
discovering a hack because it usually has the shortest time between
getting infected and discovery.
A Customer Contacts You About Your Site Being Hacked
Your site visitors view your site more often than you do. If you have several thousand visits a day and your site is visibly hacked, it is likely that a customer may contact you before you are alerted or Google detects the hack. Immediately let your customer know that you are taking action. You should also consider taking your site offline.
Proactive Ways To Detect A Hack Before Google or Your Customers Notice
Use a Source Code Scanner
Infections are often well hidden and not visible to outside visitors. You can use a source code malware scanner like Wordfence to detect if your site is hacked. The scanner will systematically inspect all of your PHP and other source code for malware patterns and alert you to the presence of any malware.WebsitePulse provides a service that includes content monitoring as does Pingdom. In general these are paid services, but they can be an effective way to get alerted if you have been hacked within minutes.
Monitor Your Website Traffic and Watch For Spikes
If your site traffic spikes dramatically you should immediately
perform a source code scan and verify that you have not been hacked.
Hacked sites frequently see a dramatic spike in traffic.
One cause of a traffic spike may be that your site is being included
in a spamvertizing campaign. A hacker will send out spam and include a
link to your site which either hosts malware or redirects traffic to
another malicious site. Hackers do this to avoid spam detection. Your
site is a “clean” domain and is not known to host malware when it is
first infected. By including a link to your site instead of their own
known malware hosting site, hackers avoid spam detection. This results
in a dramatic spike in your site traffic.
Analytics, you should also monitor your site traffic for “bot” traffic
which is not usually logged by Google Analytics. You can use Wordfence’s
live traffic feature or another server based traffic monitoring tool.
Your hosting provider may include charts that show server traffic or
Visit your Site Regularly
As a routine, simply visit a few pages on your own site as a sanity check at least once a day.
Use a Remote Scanner
Remote scanners look at the “rendered” version of your website. That
means they look at the HTML that your site produces instead of the site
source code. This may detect a hack if the hacker has chosen to include
malware in the HTML they are serving, to the current site visitor and on
the page that is being viewed.
Hackers will frequently include code that only displays malware to
certain visitors at certain times and matching certain criteria. For
this reason it is possible that a remote scanner will miss an infection
because the malware is simply not active at that time or the infected
code is not displaying the malware to the scanner when the scanner
checks the site. However, remote malware scanners can catch a variety of
unsophisticated infections and it is worth using them as an additional
Here are a few file viewing tools and remote scanners that may help you detect an infection:
- VirusTotal has a URL scanning feature that checks your site response against a huge number of virus databases and will let you know if you triggered any of them.
- SpamHaus maintains various lists. You can use this page to check your site hostname and IP address against the various SpamHaus lists.
- You can use this link to check the status of your site on the Google Safe Browsing list. Simply replace ‘wordfence.com’ at the end of the URL with your site’s own hostname. Don’t forget the ‘www.’ if your site is prefixed with that. The page will tell you if your site is flagged by google for phishing or hosting malware. It will also tell you your site history and what happened when Google last scanned your site.