Signs Your Website Has Been Hacked (And What to Do Next)

Common Symptoms of a Hacked Website

Unexpected redirects are one of the clearest signs of a compromise. If visitors clicking on your site in Google results are being sent to a completely different website — often a gambling, pharmaceutical, or adult content site — malicious code has been injected into your pages. These redirects sometimes only affect mobile users or visitors coming from search engines, which is why the site owner, who typically accesses the site directly, may not notice.

Spam content appearing on your website is another strong indicator. Hackers frequently inject hidden pages or posts stuffed with keywords and links to promote their own sites. You might discover hundreds of pages you never created, often in languages you do not use, indexed in Google under your domain.

Google Search Console warnings or 'This site may be hacked' labels in search results are definitive signals. Google's automated systems scan for malware, phishing, and unwanted software. If they flag your site, you will see a notification in Search Console, and your search listings will carry a warning that deters visitors and devastates click-through rates.

Sudden drops in website traffic without an obvious cause can indicate a compromise. If Google has deindexed some of your pages due to detected malware, your organic traffic will decline sharply. Similarly, if your site is redirecting visitors away, your analytics will show abnormal bounce rates and session durations.

Admin lockouts — being unable to log into your own website's dashboard — suggest an attacker has changed your credentials or created new admin accounts. If you cannot access your CMS admin panel with your usual credentials and password reset emails are not arriving, take immediate action.

The First 30 Minutes: Containment

The moment you suspect your website has been compromised, your priority is containment — limiting the damage before you begin cleanup. Speed matters here more than thoroughness.

First, change all passwords immediately. This means your CMS admin password, hosting control panel password, FTP/SFTP credentials, database password, and any connected service passwords. Use strong, unique passwords for each. Do this from a device you trust — not the same computer that may have been compromised.

If you can still access your hosting control panel, put your website into maintenance mode or take it offline temporarily. Yes, this means downtime, but serving a hacked website to visitors is far worse than a brief maintenance page. If your site is actively spreading malware or redirecting to harmful content, keeping it live exposes your visitors and deepens the reputational damage.

Check for unfamiliar admin accounts in your CMS. Attackers often create their own admin user to maintain access even after you change the original password. Delete any accounts you do not recognise.

Contact your hosting provider. Many hosts have security teams that can help identify the entry point and contain the issue at the server level. They may also have recent backups you can restore from. Document everything — screenshots of symptoms, timestamps, and any changes you make during containment. This documentation will be useful during the full cleanup phase.

72-Hour Recovery Timeline

Once containment is in place, the recovery process typically follows a structured timeline. The first 24 hours focus on identifying the extent of the compromise and beginning cleanup.

During hours 1-24, scan your website files for malware using your hosting provider's tools or a reputable security scanner. Compare your current files against a known clean backup if one exists. Identify which files have been modified, added, or deleted. Check your database for injected content — hackers frequently add malicious scripts to post content, widget areas, or options tables.

During hours 24-48, restore your website from a clean backup if available, or manually clean infected files. Update all software — CMS core, plugins, themes — to the latest versions. Reinstall the CMS core files from the official source to ensure no modified core files remain. Review your .htaccess file and wp-config.php (for WordPress) or equivalent configuration files for injected code.

During hours 48-72, verify the cleanup is complete by running another full scan. Submit a reconsideration request to Google if your site was flagged. Re-enable your website and monitor closely for any signs of reinfection. Test all forms, checkout processes, and critical functionality to ensure everything works correctly.

If the compromise involved customer data, you may have legal notification obligations under UAE data protection regulations. Consult with a legal advisor about your disclosure requirements, and communicate transparently with affected customers.

Post-Cleanup Prevention Checklist

Recovery is not complete when the malware is removed. If you do not address the vulnerability that allowed the attack, reinfection is likely — sometimes within days.

Conduct a thorough audit of how the attacker gained access. Was it an outdated plugin with a known vulnerability? A weak password? A compromised third-party script? Understanding the entry point is essential for preventing recurrence.

Implement a Web Application Firewall (WAF) if you have not already. A WAF filters malicious traffic before it reaches your website, blocking common attack patterns like SQL injection, cross-site scripting, and brute-force login attempts.

Set up automated monitoring and alerting. This includes file integrity monitoring (which notifies you when files change unexpectedly), uptime monitoring, and regular malware scans. Early detection is your best defence — the difference between catching an issue in 10 minutes versus 10 days is enormous.

Review your backup strategy. Ensure you have automated daily backups stored offsite (not on the same server as your website). Verify that backups are actually restorable — a backup you cannot restore is not a backup. Consider keeping at least 30 days of backup history so you can restore from a point before the compromise occurred.

What This Means for Your Business

A website hack is stressful, but it is recoverable if you act quickly and systematically. The businesses that suffer the most are those that either do not notice the compromise for weeks or do not address the root cause after cleanup, leading to repeated infections.

The real cost of a hack is not just the cleanup — it is the lost revenue during downtime, the damage to your search rankings from Google flagging your site, the erosion of customer trust, and the hours of productive work diverted to crisis management. For many SMEs, a single serious compromise can cost more than years of preventive security management.

Having a response plan before you need it is the most practical thing you can do. Even a simple document outlining who to call, which passwords to change, and how to take the site offline can cut your response time from hours to minutes.

When This Advice May Not Be Sufficient

If your website handles payment processing, stores personal health information, or manages sensitive business data, the recovery process involves additional steps including forensic analysis, regulatory notification, and potentially engaging specialised cybersecurity consultants.

Large-scale compromises affecting multiple servers, email systems, or connected applications require enterprise-level incident response that goes beyond website-level cleanup.

If you suspect the compromise involves targeted attacks (as opposed to opportunistic automated scanning), consider engaging a cybersecurity firm that specialises in digital forensics and incident response.