How to Tell If Your Website Has Been Hacked (10 Warning Signs)
Most hacks stay hidden for weeks. These are the ten warning signs that your website has been compromised — and what to do the moment you notice them.
Most people imagine a website hack as something dramatic and obvious — a skull on the homepage, a “you’ve been hacked” message, everything clearly broken. Occasionally it is that blatant. Far more often, it is quiet. A modern compromise is designed to stay hidden for as long as possible, because the longer it goes unnoticed, the more the attacker gets out of it.
That is what makes early detection so valuable. A hack caught in its first days is usually smaller, cheaper, and simpler to recover from than one that has been quietly spreading for weeks. This guide walks through ten of the clearest warning signs that your website has been compromised, explains what each one tends to mean, and tells you exactly what to do the moment you spot one.
The 10 warning signs your website has been hacked
No single sign is absolute proof on its own, and some have innocent explanations. But if you recognise one — and especially if you recognise several — it is worth taking seriously and investigating properly.
1. Your pages look different or have been defaced
The most obvious sign is visible change you did not make: altered text, strange images, added banners, or a homepage replaced entirely. Defacement is often the work of attackers who want to be seen. If your site suddenly looks wrong and no one on your team changed it, treat it as a compromise until proven otherwise.
2. Browser or search warnings appear next to your site
A red full-screen “Deceptive site ahead” or “dangerous site” warning in the browser, or a “This site may be hacked” label under your listing in Google, is a strong signal that a security system has detected something malicious. These warnings are meant to protect visitors, and they will drive your traffic away fast while they are showing.
3. Unfamiliar pages or foreign-language spam in your search results
Search for your own website and look carefully at the results. Pages you never created — especially in another language, or advertising products you do not sell — are a hallmark of spam injection hacks. You might see a sudden jump from a few dozen indexed pages to thousands. This is one of the most reliable signs precisely because the spam is often hidden on the site itself and only visible in search.
4. Sudden, unexplained changes in your traffic
A steep drop in visitors can mean your rankings have been hit by a hack or a warning. A strange spike — particularly from countries or languages that have nothing to do with your business — can mean spam pages are pulling in traffic that was never really yours. Either pattern, appearing without a clear reason, deserves a closer look.
5. Your site redirects visitors somewhere else
Malicious redirects send your visitors to a different website entirely — often a scam, a store, or a page that tries to install something. These redirects are frequently selective: they may only trigger for visitors arriving from search, or only on mobile phones, so the site looks fine when you test it directly. If customers report being “sent somewhere weird” but you cannot reproduce it, that selectivity is itself a clue.
6. New user accounts or files you did not create
An unfamiliar administrator account, or files and folders that appeared without explanation, can indicate an attacker has given themselves a way in. New admin users are especially serious, because they represent standing access that survives a superficial cleanup. The same goes for an unexpected new verified owner in your Google Search Console.
7. Your host suspends the account or flags malicious files
Hosting providers scan for malware, and when they find it they often act — suspending the account, disabling the site, or emailing you about malicious files. An unexpected message like this from your host is not something to argue with or ignore; it usually means their systems have already detected a real problem.
8. The site becomes slow, unstable, or keeps crashing
Malicious code and mass-generated spam pages consume server resources. If your website has suddenly become sluggish, throws errors, or falls over under normal traffic — with no change on your side to explain it — a compromise is one possible cause worth ruling out, particularly alongside any other sign on this list.
9. Spam is being sent from your domain, or you have been blacklisted
If contacts report spam emails appearing to come from your address, or your legitimate emails suddenly start bouncing or landing in junk folders, your site or server may have been hijacked to send spam. Being added to email blacklists as a result can quietly damage your ability to reach customers long after the fact.
10. Unexpected pop-ups, ads, or injected content
Advertisements, pop-ups, or promotional content you never added — especially for unrelated or dubious products — point to injected code running on your site. As with redirects, this content is often shown only to certain visitors, so a customer’s screenshot may be your first and clearest evidence.
Where to look to confirm a hack
Because so many modern compromises hide from the site owner, knowing where to look is half the battle. If you suspect something is wrong, check these three places. They reveal different kinds of problems, and something that is invisible in one often shows up plainly in another.
1. Your own search results
Search for your website in Google and read the results carefully. Look for pages you never created, titles in another language, a sudden jump in the total number of results, or a “This site may be hacked” label beneath your listing. Because injected spam is so often shown only to search engines, your search listings will frequently reveal a problem that the site itself is hiding from you. This one check, done regularly, catches a large share of real compromises early.
2. Google Search Console
If you have Google Search Console set up for your site, its Security Issues report is one of the most direct ways to confirm a compromise — it shows what Google has detected and roughly where. While you are there, check who is listed as a verified owner; an unfamiliar name is a serious warning that an attacker has given themselves a foothold. If you do not have Search Console yet, setting it up is one of the single most useful things you can do, both for spotting trouble and for recovering from it later.
3. Your hosting account and files
Your hosting provider’s dashboard, and any malware scanning it offers, can flag suspicious files, unexpected changes, or account-level issues. Files with recent modification dates that nobody on your team changed, or files sitting in folders that should be empty, are worth asking about. When you are unsure, your host’s support team can often tell you what their systems have already detected — and whether other sites on the same account are affected too.
The thread running through all three is the same: do not rely on how the site looks in your own browser. Look at how search engines, security systems, and your server see it — because that is exactly where a hidden compromise gives itself away.
Why these signs matter for your business
It is worth being clear about what is actually at stake, because that is what turns “I should probably look into that” into “I need to deal with this now.” A compromised website puts several things at risk at once:
- Customer trust. A visitor who meets a security warning, a redirect to a scam, or spam under your brand may never return — and trust, once lost, is slow to rebuild.
- Search visibility. Hacks that inject spam or trigger warnings can cut your rankings sharply, and the damage often outlasts the cleanup.
- Revenue. Downtime, blocked pages, and lost rankings all translate directly into lost sales and enquiries for as long as the problem persists.
- Data and compliance. If your site handles logins, personal details, or payments, a compromise can put that data at risk and may carry legal reporting obligations.
- Deliverability. A site used to send spam can get your domain blacklisted, undermining even your ordinary business emails.
What to do immediately if you spot a sign
How you react in the first hour matters. The instinct to start deleting things and “just fix it” is understandable, but hasty changes can destroy the evidence needed to understand what happened — and an infection you do not understand is one that tends to come back. Here is a calmer, more effective sequence.
- Do not panic, and do not start deleting at random. Removing files blindly can break the site and hide the real cause without actually solving it.
- Change your passwords from a device you trust. If your own computer might be compromised, changing passwords on it can hand the new ones straight to the attacker. Use a clean device, and update hosting, platform, email, and database passwords.
- Contact your hosting provider. They can tell you what their systems have detected, whether other sites on the account are affected, and what options you have.
- Preserve evidence. Take a backup or snapshot of the current state before changing anything. It captures how the attacker got in and what they did — information that makes a lasting recovery possible.
- Be cautious about transactions. If the site handles payments or sensitive data and you suspect a serious compromise, think carefully about whether it is safe to keep it fully live while you investigate.
- Get an accurate picture before you clean. Understand the scope first — cleaning without understanding is the single most common reason hacks return.
When to contact a professional
Some compromises are minor and can be handled in-house. Others need experienced help, and it is worth knowing the difference so you neither overreact to something small nor underreact to something serious. Consider bringing in a professional when:
- The site has already been cleaned once and the problem came back.
- You cannot work out how the attacker got in, or the infection keeps changing.
- Spam pages or foreign-language content are already indexed in search results.
- Google or your browser is showing a security warning for your site.
- The site handles customer data, logins, or payments.
- Your host has suspended the account, or the same account hosts several sites.
- You simply cannot afford the downtime, or the stress, of getting it wrong.
The common thread is uncertainty and stakes. If you are confident about the cause and the risk is low, a careful in-house cleanup may be fine. If you are unsure how it happened, or the cost of a mistake is high, that is exactly when experienced recovery pays for itself — by fixing the cause once rather than the symptoms repeatedly. For background on how search engines handle hacked sites, Google’s #NoHacked guidance on common hack cases is a reliable, vendor-neutral reference.
A final word
A hacked website is stressful, but noticing the signs early is genuinely good news — it means you have caught the problem while it is still small. The worst outcomes come from compromises that go unseen for months, quietly draining traffic and trust. By knowing what to look for and where to look, you have already given yourself the best possible chance of a quick, clean recovery.
If you have spotted one of these signs and are not sure what you are dealing with, do not guess in the dark. Take the calm first steps above, preserve what you can, and get an accurate picture of what has happened — because a hack you understand is a hack you can actually put behind you.
