Let’s talk!

Website Hacked: How to Tell and What a Business Owner Should Do

A hacked website does not always look broken. Sometimes it still opens, but hidden redirects, spam pages, malicious scripts or browser warnings are already damaging your business. This guide explains how to spot the signs and what to do next.

Website Hacked: How to Tell and What a Business Owner Should Do

A hacked website does not always look like a dramatic black screen with a warning message. In many cases, the website still opens, pages look normal, and the admin panel may even work as usual. But somewhere inside the code, database or server, malicious scripts, hidden links, spam pages or redirects may already be damaging the business.

That is why the phrase “website hacked” can mean very different things. Sometimes the website is completely unavailable. Sometimes users are redirected to suspicious pages. Sometimes Google starts showing unknown URLs from your domain. And sometimes the first sign is a warning from a browser, antivirus, hosting provider or Google Search Console.

For a business owner, the main thing is not to panic, but also not to ignore the issue. If the website has really been hacked, every extra day can cost you leads, advertising budget, SEO visibility, customer trust and brand reputation.

In this guide, we will explain how to understand that your website was hacked, which signs to check first, what actions to take immediately and how to reduce the risk of another attack.


Why a Hacked Website Is Dangerous for Business

For an attacker, your website is not always the final target. It may be used as a tool for spam, hidden SEO links, phishing pages, malware distribution, redirects, fake stores or mass email sending.

For the business, the consequences can be much broader than “something broke on the website”. A hacked website can affect sales, advertising, search visibility and customer trust at the same time.

A website hack may lead to:


  • lost inquiries from SEO and paid ads;
  • browser or antivirus warnings;
  • Google Search Console security alerts;
  • lower positions in Google;
  • spam pages appearing in search results;
  • problems with Google Ads or Meta Ads;
  • stolen form, account or order data;
  • damaged brand reputation;
  • repeated infection after poor cleanup.

The most dangerous part is that the website may look fine to the owner. You open the homepage, and everything seems normal. But a user from mobile search may be redirected to another domain. Or Googlebot may see different content than a regular visitor. These cases are harder to notice without technical checks.


How to Tell If Your Website Was Hacked

There are several common signs of a hacked website. One symptom does not always mean the site is compromised, but if several signs appear at the same time, the website should be checked immediately.


The Website Redirects Users to Another Domain

One of the clearest signs of a hacked website is an unexpected redirect. A user opens your website, but instead of your page, they are sent to an unknown domain, fake store, suspicious landing page, gambling page, adult page, scam offer or browser warning.

The tricky part is that redirects do not always happen for everyone. They may work only:


  • on mobile devices;
  • after clicking from Google;
  • for new visitors;
  • in certain countries;
  • in specific browsers;
  • once per session;
  • on selected pages only.

That is why a business owner may not see the issue for a long time. The site opens normally on their laptop, but customers already see strange redirects and leave before contacting the company.


Unknown Pages Appear in Google

Another common sign is the appearance of pages that you never created. These URLs may contain foreign words, random symbols, medicine names, casino terms, fake brand names or topics that have nothing to do with your business.

You may notice this by searching your domain in Google or checking indexed pages in Search Console. If the website was hacked for SEO spam, attackers may create hundreds or even thousands of hidden pages.

These pages are often invisible in the menu and may not appear in the admin panel. But search engines can find and index them. As a result, your domain reputation may suffer, and normal pages may lose visibility.


Browser or Antivirus Shows a Warning

If Chrome, Safari, Edge, Firefox or antivirus software shows a security warning, take it seriously. It may be caused by malicious files, suspicious scripts, phishing pages, infected redirects or a poor domain reputation.

Even if the website opens for you, part of your audience may see a warning and leave immediately. For a commercial website, this directly affects leads and conversions.

A warning can also damage trust. A potential client may not understand the technical reason. They simply see that the website looks unsafe and decide not to contact the company.


Content Changed Without Your Team Editing It

Sometimes a hack is visible directly on the page. You may notice strange links, banners, pop-ups, buttons, forms or text in another language.

But in many cases, the changes are hidden. The page may look normal, while the code contains injected JavaScript, hidden iframe elements, tracking scripts, spam links or content shown only to search engines.

That is why visual checking is not enough. A proper inspection should include HTML, files, database records, templates, plugins, logs and recent changes.


The Website Became Slow or Unstable

A hacked website may overload the server. Malicious scripts, spam pages, bots, hidden processes or mass email activity can make the website slower.

Common symptoms include:


  • pages load much slower than before;
  • 500 errors appear from time to time;
  • the admin panel becomes slow;
  • hosting reports high resource usage;
  • the database grows unexpectedly;
  • unknown server processes appear;
  • emails from your domain start going to spam.

Not every performance issue means the website was hacked. But if the slowdown appeared suddenly and there were no major changes in traffic, code or hosting, it should be investigated.


You Cannot Log Into the Admin Panel

If your admin password no longer works, new users appear, roles have changed, or someone edited settings without your knowledge, access may be compromised.

This is especially dangerous if an unknown user has administrator rights. They may edit files, install plugins, add scripts, create hidden pages, change settings or hide traces of the attack.

After a suspected hack, you should check not only the website admin panel, but also hosting, FTP/SFTP, database, email, domain registrar, Git, server panel and connected third-party tools.


What to Do If Your Website Was Hacked

The biggest mistake is to randomly delete files, reinstall plugins or restore the first available backup without understanding the cause. This may remove visible symptoms, but leave the actual vulnerability open.

A better approach is to stabilize the situation, find the source of the problem, clean the website, close the vulnerability and only then return to normal work.


1. Record the Symptoms

Before making changes, try to understand what exactly is happening. This helps a developer or technical specialist find the cause faster.

Record:


  • which pages behave incorrectly;
  • whether there are redirects;
  • where the website redirects users;
  • whether the issue appears on mobile;
  • whether it happens after clicking from Google or ads;
  • what browser warning is shown;
  • whether Search Console has security alerts;
  • when the issue was first noticed;
  • what changes were made recently.

Avoid describing the issue only as “the website was hacked”. Specific examples save time and reduce the risk of an incomplete recovery.


2. Reduce the Damage Temporarily

If the website may harm visitors, it is better to limit the damage quickly. This does not always mean shutting down the whole website, but in serious cases temporary maintenance mode may be the safest option.

Possible actions include:


  • enabling maintenance mode;
  • closing infected pages;
  • pausing ads that send traffic to unsafe URLs;
  • limiting access to the admin panel;
  • disabling suspicious scripts after checking them;
  • warning the team not to open suspicious links;
  • avoiding password entry on infected pages.

If paid traffic is active, check landing pages first. Otherwise, you may keep spending budget on pages that do not convert or even scare users away.


3. Make a Copy of the Current State

It may sound strange, but before cleanup it is often useful to make a copy of the infected website. This copy is not for restoring the website. It is for analysis.

It can help identify:


  • which files were changed;
  • when malicious code appeared;
  • whether new users were created;
  • which pages were affected;
  • what server logs show;
  • whether the infection came through admin, FTP, plugin, form or server access.

If everything is deleted immediately, important traces may disappear. Then it becomes harder to understand how the hack happened and how to prevent it from returning.


4. Check Access and Change Passwords

After a suspected hack, all critical passwords should be changed. Ideally, do this from a safe device, not from a computer that may also be infected.

Check access to:


  • website admin panel;
  • hosting account;
  • FTP/SFTP;
  • database;
  • domain email;
  • domain registrar;
  • CDN or Cloudflare;
  • Google Search Console;
  • Google Analytics;
  • advertising accounts;
  • Git repository;
  • CRM and integrations.

Also remove unnecessary users, check administrator roles and make sure no unknown person has access to website management.


5. Check Files, Database and Logs

Cleaning a hacked website is not just deleting one suspicious file. Malicious code may be hidden in templates, plugins, uploads, database records, configuration files, cron jobs or hidden administrator accounts.

You should check:


  • recently modified files;
  • unknown PHP, JS or HTML files;
  • suspicious code in templates;
  • injected scripts in header or footer;
  • new records in the database;
  • hidden pages;
  • unknown admin users;
  • login logs;
  • suspicious URL requests;
  • cron jobs;
  • file and folder permissions.

If the website is built on a CMS, check the core, theme, plugins, modules and custom changes. If it is a custom website, the codebase, dependencies, forms, API endpoints, server logic and user input processing should be reviewed.

For complex cases, it is better to involve a developer who can check not only visible symptoms, but also code, database, server configuration, forms, scripts and access rights.


6. Restore the Website Carefully

A backup can help, but it is not always enough. If you simply restore an older version without closing the vulnerability, the website may be hacked again.

A proper recovery process should include:


  • choosing a clean backup;
  • checking whether the backup was already infected;
  • updating CMS, plugins, themes or dependencies;
  • changing all critical access credentials;
  • removing unknown users;
  • checking file permissions;
  • clearing cache;
  • checking redirects;
  • scanning the website again;
  • testing forms, checkout and key pages.

If the issue was caused by vulnerable code or outdated website logic, restoring a backup only gives you a temporary result. The real fix is to close the source of the vulnerability.


What Not to Do After a Website Hack

When a business owner sees that the website was hacked, the natural reaction is to fix everything as quickly as possible. But rushed actions can make the situation worse.

Avoid:


  • deleting files randomly;
  • restoring a backup without checking the cause;
  • keeping old passwords;
  • ignoring Search Console;
  • assuming the issue is solved because the homepage opens;
  • installing random security plugins without understanding the problem;
  • hiding the issue from the team;
  • running ads to pages that have not been checked;
  • checking only the desktop version;
  • cleaning only the homepage.

Another common mistake is blocking the whole website from indexing through robots.txt or noindex without understanding the SEO consequences. Temporary restrictions may be useful in some cases, but they must be applied carefully.


How a Website Hack Affects SEO

A hacked website can seriously damage SEO. Even after cleanup, Google may continue to see spam pages, suspicious redirects, security warnings, changed content or many crawl errors.

Common SEO problems after a hack include:


  • spam pages indexed in Google;
  • browser or search warnings;
  • normal pages losing positions;
  • changed titles and descriptions in search results;
  • rankings for spam-related queries;
  • many 404 or 5xx errors;
  • suspicious external links;
  • lower organic traffic;
  • reduced trust in the domain.

After technical cleanup, you should also check the SEO condition of the website. Review Search Console, sitemap, robots.txt, canonical tags, redirects, indexed pages, crawl errors, organic traffic and search queries.

If technical issues remain after cleanup, a separate website error fixing stage may be needed. Some consequences of a hack can affect search performance even after malicious files are removed.


Why Websites Get Hacked

To prevent another attack, you need to understand the cause. Without this, recovery becomes a temporary repair rather than a real solution.


Outdated CMS, Theme or Plugins

For WordPress, Joomla, OpenCart, Drupal and other CMS websites, outdated components are one of the most common risks. If the core, theme or plugins have not been updated for a long time, they may contain known vulnerabilities.

The issue is not only the age of the website. Even a new website can be vulnerable if it uses an unsafe plugin, a theme from an unreliable source or a module that is no longer supported.


Weak or Reused Passwords

A weak password for the admin panel, FTP, hosting or email is a direct risk. The danger is even higher when the same password is used in several services.

If credentials leak from one service, attackers may try them on your website, email, hosting or domain panel. That is why passwords should be not only strong, but also unique.


Unsafe Forms and Custom Code

Contact forms, search fields, comments, file uploads, user accounts, APIs and other interactive features must be protected. If user input is not properly checked, it can create vulnerabilities.

Older custom websites deserve special attention. They may work for years, but still contain security issues that are not visible to the owner.


Infected Device or Stolen Access

Sometimes the problem is not the website itself, but the device used to access it. If passwords are saved on an infected computer, access credentials may be stolen.

After a hack, check not only the website, but also the devices used by people who have access to the admin panel, hosting, email, FTP or CRM.


Poor Hosting or Server Configuration

A weak server setup can also increase security risks. Incorrect file permissions, outdated PHP versions, lack of project isolation, open system files or poor access control can make attacks easier.

Website security is not only about CMS. It includes code, server, access rights, updates, backups and regular monitoring.


How to Check the Website After Cleanup

After malicious code is removed, do not assume the problem is over. The website must be tested from the perspective of users, search engines and advertising platforms.

Check:


  • homepage;
  • key service or product pages;
  • mobile version;
  • contact forms;
  • cart and checkout if it is an online store;
  • redirects;
  • admin panel;
  • sitemap.xml;
  • robots.txt;
  • Search Console;
  • important indexed pages;
  • spam URLs in Google;
  • browser warnings;
  • loading speed;
  • server logs after cleanup.

It is also useful to monitor the website for several days after recovery. Some infections return later if the root cause was not fully removed.


How to Protect the Website From Being Hacked Again

No one can guarantee that a website will never be hacked. But you can significantly reduce the risk and make recovery much faster if something goes wrong.

Recommended actions:


  • update CMS, themes, plugins and dependencies regularly;
  • use strong unique passwords;
  • enable two-factor authentication where possible;
  • limit the number of administrators;
  • remove unused plugins, themes and accounts;
  • create regular backups;
  • store backups outside the main server;
  • test the website after updates;
  • monitor Search Console;
  • watch server logs and suspicious activity;
  • avoid unverified modules;
  • run technical audits from time to time.

For a business website, the best strategy is not to wait until something breaks. If the website brings leads, sales or supports daily communication with clients, regular technical website support is not an extra service — it is part of keeping the business stable online.


When You Should Contact Specialists

If the website is small and the issue is obvious, the owner or administrator may be able to update the CMS, change passwords and restore a clean backup. But in many cases, it is safer to involve specialists.

You should contact professionals if:


  • the website redirects users to other domains;
  • browsers or antivirus tools show warnings;
  • spam pages appear in Google;
  • the website runs on a CMS with many plugins;
  • there is an online store, payment system or user account area;
  • there may be a data leak;
  • you do not have a clean recent backup;
  • the hack keeps returning;
  • you do not know which files were changed;
  • the website is important for ads, SEO or sales.

The goal is not just to make the website look normal again. The real task is to find the cause, close the vulnerability, clean the damage, check SEO consequences and make sure users can safely interact with the website.


Conclusion

If your website was hacked, act quickly but not chaotically. First, record the symptoms, reduce the damage, check access, make a copy of the current state, find the source of the problem, clean the website and close the vulnerability.

Simply restoring a backup is not enough. If the cause remains, the website may be hacked again. And checking only the homepage is not enough either — malicious code may be hidden in the database, templates, plugins, redirects, server tasks or hidden pages.

For a business, a website is not just a set of pages. It is leads, advertising, SEO, trust and reputation. That is why website security should not be treated as a one-time emergency. It should be part of regular technical maintenance.


FAQ

How can I tell if my website was hacked?

Common signs include unexpected redirects, browser or antivirus warnings, unknown pages in Google, changed content, new admin users, slow performance, errors or security alerts in Search Console.


What should I do first if my website was hacked?

First, record the symptoms: which pages are affected, whether there are redirects, what warnings appear and when the issue started. Then limit the damage, change access credentials, make a copy for analysis and start a technical check.


Is restoring a backup enough after a website hack?

Not always. If you restore a backup but do not fix the vulnerability, the website may be hacked again. After restoring, you should update software, change passwords, check users, review files, inspect the database and test the website.


Why do unknown pages appear in Google after a hack?

Attackers often create hidden pages for SEO spam. These pages may not appear in the menu or admin panel, but Google can still index them. They should be removed, and the cause of their creation must be fixed.


Can a hacked website affect advertising?

Yes. If the website redirects users, shows warnings or contains malicious code, paid campaigns may lose performance or face restrictions. Even without a formal block, users are less likely to trust and convert on an unsafe website.


Should I change all passwords after a website hack?

Yes. Change passwords for the admin panel, hosting, FTP/SFTP, database, email, domain registrar, CDN, Search Console, analytics, CRM and other connected services. Use a safe device when doing this.


Can I clean a hacked website myself?

You can try if you clearly understand what caused the issue and how to remove it safely. But if there are redirects, spam pages in Google, browser warnings, database problems or repeated attacks, it is safer to involve a specialist.


How can I prevent another website hack?

Keep CMS, plugins, themes and dependencies updated. Use strong unique passwords, enable two-factor authentication, limit admin access, remove unused components, create backups, monitor Search Console and run regular technical checks.

Author:

 Taras Sydorovych

Updated: 6/10/2026

You may also be interested in

Why does a website load very slowly or not open at all?

Why does a website load very slowly or not open at all?

A slow or unavailable website can lose leads, sales, trust, and SEO visibility. In this article, we explain the most common reasons why a website takes too long to load, what can break after updates or migration, and when it is time to involve a technical specialist.

How to Write Product Descriptions That Sell

How to Write Product Descriptions That Sell

Learn how to write product descriptions for an online store: structure, SEO, examples, photos, videos, trust factors, and common mistakes.

What to Do When Your SSL Certificate Expires

What to Do When Your SSL Certificate Expires

A practical guide on what happens when an SSL certificate expires, how to restore HTTPS correctly and what to check after renewal.