12 Signs Your Website Has Been Hacked

By Bug Circuit Security Team

If your site shows a browser warning, redirects visitors somewhere strange, has admin accounts you didn't create, or your emails are suddenly bouncing, treat it as hacked until you've checked and ruled it out. None of these signs alone is proof, but two or more together is a strong signal.

This is for any small business owner, freelancer, or agency running a WordPress site, Shopify store, or small SaaS app who's noticed something "off" and wants to know if it's a hack or a glitch. You'll get a plain-English checklist of the 12 most common symptoms, what each one actually means, how urgent it is, and the exact first steps to take.

Quick-scan checklist

Run down this table first. Anything in the Critical or High row means stop reading and act now — jump to "What to do right now" below.

SignWhat it usually meansUrgency
Browser or antivirus blocks your siteMalware or phishing content detectedCritical
Google flags you in Search ConsoleConfirmed malware, spam, or hacked contentCritical
Visitors get redirected to another siteMalicious redirect script injectedCritical
Homepage defaced or shows a ransom noteActive, confirmed compromiseCritical
New admin/user accounts you didn't createAttacker has persistent accessCritical
Unknown PHP/script files in your file managerA backdoor was uploadedHigh
Site is suddenly slow or host suspends youServer resources hijacked (e.g., crypto-mining)High
Popups or ads only visitors see, not youCloaked malware showing different content to bots vs. humansHigh
Emails from your domain bounce or land in spamDomain blacklisted or used to send spamMedium
Customers report fraud after buying from youPayment page or card data possibly skimmedCritical
Gibberish or spammy pages show up in Google"SEO spam" injection targeting search rankingsMedium
Can't log in / login page looks differentCredentials changed or a fake login page installedHigh

The 12 signs, explained

1. Your browser or antivirus blocks the site

If Chrome, Safari, or your antivirus shows a "Deceptive site ahead" or "This site may harm your computer" warning, Google or another security vendor has already detected malware or phishing on your pages. Check your status directly with Google's Safe Browsing site status tool — it's free and takes ten seconds.

2. Google Search Console shows a Security Issues warning

If you have Search Console set up, go to Security & Manual Actions > Security Issues. A message here ("hacked content," "harmful content," or "URL injection") is Google's own confirmation, not a guess. Google documents the common causes and cleanup steps in its hacked-sites help center.

3. Visitors get redirected to a random site

Someone lands on your homepage and ends up on a casino, pharmacy, or fake-prize site instead. This is almost always a malicious redirect injected into your theme files, .htaccess, or a compromised plugin. It often only fires for visitors coming from Google, so you may not notice it browsing directly — test in an incognito window from a search result, not by typing your URL.

4. Gibberish or spammy pages show up in your Google results

Search site:yourdomain.com in Google. If you see pages you never wrote — often in Japanese, Chinese, or stuffed with pharmacy/gambling keywords — that's "SEO spam injection." Attackers create thousands of hidden pages on your domain to piggyback on its search authority.

5. There's an admin account you didn't create

Check Users > All Users in WordPress, or run wp user list --role=administrator if you have WP-CLI access. An unfamiliar admin (sometimes with a generic name like "support" or "admin2") means an attacker created persistent access — even if you change your password, they can still log back in through that account.

6. Unfamiliar files appear in your file manager

Look in wp-content/uploads/, your theme folder, or your site root for .php files that don't belong there — uploads folders should never contain executable scripts. A quick way to spot recently added files via SSH: find . -type f -mtime -14 -name "*.php". These are frequently backdoors that let an attacker back in even after you "clean" the visible hack.

7. Your site is suddenly slow, or your host suspends it for "resource abuse"

A hosting email about excessive CPU use, or a site that crawls to a halt, can mean an attacker installed a script that mines cryptocurrency or sends spam email using your server's resources. Check your hosting control panel's resource-usage graph for an unexplained spike.

8. Emails from your domain bounce or land in spam

If customer emails suddenly bounce, or your own test emails land in spam, your domain may have been used to send spam and gotten blacklisted, or your SPF/DKIM/DMARC records were tampered with. Run a free check with our email spoofing and DNS checker to confirm your records are intact and your domain isn't blacklisted.

9. Popups, fake update prompts, or ads appear — but only for visitors

If customers report seeing "Your Flash Player is out of date" popups or unexpected ads, but you see nothing when you visit, that's likely cloaking: malicious code detects it's talking to a real visitor (not a search bot or the site owner) and serves different, malicious content. This is a classic technique to avoid detection while still infecting visitors — OWASP's guidance on detecting and responding to this kind of compromise is a solid technical reference if you want the deeper mechanics.

10. You can't log in, or the login page looks different

A changed login URL, a login form that looks slightly off, or a password reset that silently fails can mean an attacker replaced your login page with a fake one to harvest credentials, or locked you out after taking over the account.

11. Customers report fraud charges right after buying from you

This is one of the most serious signs on this list. If several customers report card fraud shortly after a purchase, your checkout page or payment integration may have been tampered with (a "web skimmer") to capture card details in real time. Treat this as a critical, drop-everything incident — it can trigger real financial harm to real people.

12. The homepage is defaced, or there's a ransom note

The most obvious sign: your homepage is replaced with a message, a flag, a group's logo, or a ransom demand. This confirms an active compromise with write access to your files. CISA's incident reporting guidance explains when and how to report an incident like this, particularly if customer data may be involved.

What to do right now

If two or more of the signs above match, work through this in order:

  1. Take a backup of the current (compromised) state first — you'll want evidence, and a clean restore point may need comparison.
  2. Change every password: hosting account, CMS admin, database, FTP/SFTP, and any team logins. Use unique, long passwords for each.
  3. Check for accounts and files you didn't create (signs #4 and #5 above) and remove anything unfamiliar.
  4. Ask your host for their malware scan/cleanup tool — most reputable hosts have one, and can also tell you if other sites on shared hosting were the entry point.
  5. Verify your DNS and email records haven't been changed using our email spoofing checker.
  6. Request a review in Google Search Console once you're confident the site is clean, so the browser warnings and search flags get lifted.
  7. If money, customer data, or payment details were involved, document everything and consider your legal/regulatory notification obligations.

If you're not confident doing this yourself — and most non-technical owners aren't — that's exactly the gap a manual audit closes. For the full step-by-step process (not just the checklist), see our complete guide to what to do when your website's been hacked. If you just want a free first read before spending anything, our free website security check will tell you, no card required, whether something critical is actually going on.

Key takeaways

  • Two or more signs from the checklist above (especially anything marked Critical) means you should act now, not "when you get a chance."
  • A hacked site almost always has a hidden backdoor file or extra admin account — cleaning the visible symptom without finding that is why sites get re-hacked within days.
  • Bounced email and blacklisting are DNS-level symptoms; check your SPF/DKIM/DMARC records, don't just resend the email.
  • Google Search Console's Security Issues report is the most reliable free confirmation you can get in under a minute.
  • If fraud is involved, or you're not sure what you're looking at, a second pair of trained eyes beats guessing — a $49 manual audit finds and documents the actual cause instead of you chasing symptoms in the dark.

Bug Circuit's $49 Circuit audit has a real engineer manually go through your site, confirm which of these signs are real, find the backdoor or root cause, and hand you a plain-English report with exact fixes — see pricing if you want a professional to confirm and fix it rather than guess.

Want certainty, not guesswork?

A real human security engineer audits your whole site by hand and sends a full report — every issue, its severity, and the exact fix. From $49, with a 14-day money-back guarantee.

See pricing

Common questions

How do I know for sure if my website has been hacked, versus just having a bug?
Check Google Search Console's Security Issues report and the Google Safe Browsing site status tool first — these are direct, third-party confirmations rather than guesses. A bug usually breaks one thing consistently for everyone; a hack often behaves differently for search bots versus real visitors, or introduces content/files you never created.
Can I just restore from a backup and be done?
Only if you're certain the backup predates the compromise and you've closed the original entry point (an outdated plugin, a stolen password, an exposed admin panel). Restoring an infected backup, or restoring a clean one without fixing how the attacker got in, usually leads to a repeat hack within days.
My site got hacked but Google hasn't flagged it yet — should I still worry?
Yes. Google's flags lag behind actual compromise, sometimes by days or weeks. File-level signs (new admin users, unfamiliar PHP files, unexpected redirects) are earlier and more reliable indicators than waiting for a search warning to appear.
Does a hacked WordPress plugin count as 'my site being hacked'?
Yes. Most small-site compromises start through an outdated or vulnerable plugin, not a direct attack on your server. The plugin is the entry point; once in, attackers add backdoor files and admin accounts the same way regardless of the initial vector.
What's the fastest first check I can do myself, right now?
Search `site:yourdomain.com` in Google to spot spammy injected pages, and check Users > All Users in your CMS for admin accounts you don't recognize. Both take under two minutes and catch the two most common hack indicators.

Keep reading

See what attackers see — free

Run the free passive check on your domain. No login, no impact on your site, results in seconds.

Passive recon only. No login, and no impact on your site. Deeper testing needs domain verification.

Ready for the full manual audit? See transparent pricing →

Published by Bug Circuit. Written with AI assistance and reviewed for accuracy before publishing.