12 Signs Your Website Has Been Hacked
If your site shows a browser warning, redirects visitors somewhere strange, has admin accounts you didn't create, or your emails are suddenly bouncing, treat it as hacked until you've checked and ruled it out. None of these signs alone is proof, but two or more together is a strong signal.
This is for any small business owner, freelancer, or agency running a WordPress site, Shopify store, or small SaaS app who's noticed something "off" and wants to know if it's a hack or a glitch. You'll get a plain-English checklist of the 12 most common symptoms, what each one actually means, how urgent it is, and the exact first steps to take.
Quick-scan checklist
Run down this table first. Anything in the Critical or High row means stop reading and act now — jump to "What to do right now" below.
| Sign | What it usually means | Urgency |
|---|---|---|
| Browser or antivirus blocks your site | Malware or phishing content detected | Critical |
| Google flags you in Search Console | Confirmed malware, spam, or hacked content | Critical |
| Visitors get redirected to another site | Malicious redirect script injected | Critical |
| Homepage defaced or shows a ransom note | Active, confirmed compromise | Critical |
| New admin/user accounts you didn't create | Attacker has persistent access | Critical |
| Unknown PHP/script files in your file manager | A backdoor was uploaded | High |
| Site is suddenly slow or host suspends you | Server resources hijacked (e.g., crypto-mining) | High |
| Popups or ads only visitors see, not you | Cloaked malware showing different content to bots vs. humans | High |
| Emails from your domain bounce or land in spam | Domain blacklisted or used to send spam | Medium |
| Customers report fraud after buying from you | Payment page or card data possibly skimmed | Critical |
| Gibberish or spammy pages show up in Google | "SEO spam" injection targeting search rankings | Medium |
| Can't log in / login page looks different | Credentials changed or a fake login page installed | High |
The 12 signs, explained
1. Your browser or antivirus blocks the site
If Chrome, Safari, or your antivirus shows a "Deceptive site ahead" or "This site may harm your computer" warning, Google or another security vendor has already detected malware or phishing on your pages. Check your status directly with Google's Safe Browsing site status tool — it's free and takes ten seconds.
2. Google Search Console shows a Security Issues warning
If you have Search Console set up, go to Security & Manual Actions > Security Issues. A message here ("hacked content," "harmful content," or "URL injection") is Google's own confirmation, not a guess. Google documents the common causes and cleanup steps in its hacked-sites help center.
3. Visitors get redirected to a random site
Someone lands on your homepage and ends up on a casino, pharmacy, or fake-prize site instead. This is almost always a malicious redirect injected into your theme files, .htaccess, or a compromised plugin. It often only fires for visitors coming from Google, so you may not notice it browsing directly — test in an incognito window from a search result, not by typing your URL.
4. Gibberish or spammy pages show up in your Google results
Search site:yourdomain.com in Google. If you see pages you never wrote — often in Japanese, Chinese, or stuffed with pharmacy/gambling keywords — that's "SEO spam injection." Attackers create thousands of hidden pages on your domain to piggyback on its search authority.
5. There's an admin account you didn't create
Check Users > All Users in WordPress, or run wp user list --role=administrator if you have WP-CLI access. An unfamiliar admin (sometimes with a generic name like "support" or "admin2") means an attacker created persistent access — even if you change your password, they can still log back in through that account.
6. Unfamiliar files appear in your file manager
Look in wp-content/uploads/, your theme folder, or your site root for .php files that don't belong there — uploads folders should never contain executable scripts. A quick way to spot recently added files via SSH: find . -type f -mtime -14 -name "*.php". These are frequently backdoors that let an attacker back in even after you "clean" the visible hack.
7. Your site is suddenly slow, or your host suspends it for "resource abuse"
A hosting email about excessive CPU use, or a site that crawls to a halt, can mean an attacker installed a script that mines cryptocurrency or sends spam email using your server's resources. Check your hosting control panel's resource-usage graph for an unexplained spike.
8. Emails from your domain bounce or land in spam
If customer emails suddenly bounce, or your own test emails land in spam, your domain may have been used to send spam and gotten blacklisted, or your SPF/DKIM/DMARC records were tampered with. Run a free check with our email spoofing and DNS checker to confirm your records are intact and your domain isn't blacklisted.
9. Popups, fake update prompts, or ads appear — but only for visitors
If customers report seeing "Your Flash Player is out of date" popups or unexpected ads, but you see nothing when you visit, that's likely cloaking: malicious code detects it's talking to a real visitor (not a search bot or the site owner) and serves different, malicious content. This is a classic technique to avoid detection while still infecting visitors — OWASP's guidance on detecting and responding to this kind of compromise is a solid technical reference if you want the deeper mechanics.
10. You can't log in, or the login page looks different
A changed login URL, a login form that looks slightly off, or a password reset that silently fails can mean an attacker replaced your login page with a fake one to harvest credentials, or locked you out after taking over the account.
11. Customers report fraud charges right after buying from you
This is one of the most serious signs on this list. If several customers report card fraud shortly after a purchase, your checkout page or payment integration may have been tampered with (a "web skimmer") to capture card details in real time. Treat this as a critical, drop-everything incident — it can trigger real financial harm to real people.
12. The homepage is defaced, or there's a ransom note
The most obvious sign: your homepage is replaced with a message, a flag, a group's logo, or a ransom demand. This confirms an active compromise with write access to your files. CISA's incident reporting guidance explains when and how to report an incident like this, particularly if customer data may be involved.
What to do right now
If two or more of the signs above match, work through this in order:
- Take a backup of the current (compromised) state first — you'll want evidence, and a clean restore point may need comparison.
- Change every password: hosting account, CMS admin, database, FTP/SFTP, and any team logins. Use unique, long passwords for each.
- Check for accounts and files you didn't create (signs #4 and #5 above) and remove anything unfamiliar.
- Ask your host for their malware scan/cleanup tool — most reputable hosts have one, and can also tell you if other sites on shared hosting were the entry point.
- Verify your DNS and email records haven't been changed using our email spoofing checker.
- Request a review in Google Search Console once you're confident the site is clean, so the browser warnings and search flags get lifted.
- If money, customer data, or payment details were involved, document everything and consider your legal/regulatory notification obligations.
If you're not confident doing this yourself — and most non-technical owners aren't — that's exactly the gap a manual audit closes. For the full step-by-step process (not just the checklist), see our complete guide to what to do when your website's been hacked. If you just want a free first read before spending anything, our free website security check will tell you, no card required, whether something critical is actually going on.
Key takeaways
- Two or more signs from the checklist above (especially anything marked Critical) means you should act now, not "when you get a chance."
- A hacked site almost always has a hidden backdoor file or extra admin account — cleaning the visible symptom without finding that is why sites get re-hacked within days.
- Bounced email and blacklisting are DNS-level symptoms; check your SPF/DKIM/DMARC records, don't just resend the email.
- Google Search Console's Security Issues report is the most reliable free confirmation you can get in under a minute.
- If fraud is involved, or you're not sure what you're looking at, a second pair of trained eyes beats guessing — a $49 manual audit finds and documents the actual cause instead of you chasing symptoms in the dark.
Bug Circuit's $49 Circuit audit has a real engineer manually go through your site, confirm which of these signs are real, find the backdoor or root cause, and hand you a plain-English report with exact fixes — see pricing if you want a professional to confirm and fix it rather than guess.
A real human security engineer audits your whole site by hand and sends a full report — every issue, its severity, and the exact fix. From $49, with a 14-day money-back guarantee.
See pricing