Is My Website Hacked? 10 Signs to Check Right Now

Something feels off. Maybe your traffic dropped suddenly. Maybe a customer told you your site looks weird. Maybe Google sent you a warning. Whatever brought you here, you want to know: is my website actually hacked?

Here are 10 signs to check right now — plus a free tool to scan for hidden compromises that you can't see just by visiting your site.

1. Google Shows a "This Site May Be Hacked" Warning

The most obvious sign. If Google displays a warning below your search listing or blocks your site entirely with a red "Deceptive Site" interstitial, you've been flagged. Check Google Search Console > Security Issues immediately.

2. Your Traffic Dropped Suddenly

A sudden, unexplained drop in organic traffic (especially if nothing else changed) often means Google has detected spam on your site and started demoting it. Check your Google Analytics or Search Console for a cliff-edge drop.

3. Strange Pages Appear in Google Search Results

Search Google for site:yourdomain.com and scan the results. If you see pages you didn't create — especially pages in foreign languages or about pharmaceuticals, gambling, or adult content — your site has been injected with spam pages.

4. Your Site Redirects to a Different Website

If clicking on your site from Google takes visitors to a completely different website (often a spam or phishing page), your .htaccess file or theme files have likely been modified to include malicious redirects.

5. Your Hosting Provider Suspended Your Account

Hosting companies run automated malware scans. If they detected something, they may suspend your account to protect other customers on the shared server. Check your hosting control panel for any alerts or notifications.

6. Customers Report Strange Behavior

If visitors tell you they see pop-ups, redirects, or content you didn't put there, believe them. Some hacks only trigger for certain visitors (like mobile users or people arriving from Google), so you might not see it yourself.

7. New Admin Users You Didn't Create

Log into your WordPress admin and check Users > All Users. If there are admin accounts you don't recognize, someone has gained access to your site. Delete them immediately and change all passwords.

8. Modified Files You Didn't Touch

Check your .htaccess file, wp-config.php, and your theme's functions.php. If they've been modified recently and you didn't do it, look for suspicious code — especially Base64-encoded strings, eval() calls, or PHP code that checks the User-Agent string.

9. Unusual Server Resource Usage

If your hosting dashboard shows spikes in CPU usage, bandwidth, or email sending (without a corresponding traffic increase), your server may be running malware, sending spam emails, or participating in a DDoS attack.

10. Different Content Shows Up for Google

This is the hardest to detect manually. Some hacks use cloaking — your site looks normal to you, but Google's crawler sees completely different content (spam, gambling ads, pharmaceutical keywords). The only way to catch this is to check what Google sees.

Our free hack scanner does exactly this: it fetches your page as both a regular browser and as Googlebot, then compares the results. If they don't match, you have a cloaking attack. It also checks for spam keywords, hidden iframes, suspicious links, and malicious JavaScript across multiple pages automatically.

What to Do Right Now

1. Run a scan — use our hack scanner to get an instant assessment
2. Check Search Console — look at Security Issues and Manual Actions
3. Change passwords — WordPress admin, FTP, hosting, database
4. Contact your host — they may have additional information or can help with cleanup
5. Don't delete everything — you need the compromised files for forensics. Take a backup first, then clean.

For a comprehensive check of your entire site's health — not just hack detection — run a full website audit. It covers SEO, performance, security, trust, privacy, accessibility, and content in one scan.