Last updated: August 6, 2020
Is Your Website Hacked? Use This Checklist To Confirm
Disclosure: Your support helps keep the site running! We earn a referral fee for some of the services we recommend on this page. Learn more
Opening up your blog or website to discover it's been vandalized or replaced entirely is a pretty obvious clue that you've been hacked. Unfortunately, hackers don't always make it easy for you to notice you've been hacked at all. Many modern site hacks are designed to avoid detection so they can pursue their purposes—collecting information, installing malware, and, of course, spreading the infection to users and other servers—unhindered by efforts on your part.
Left unchecked, an infected site can quickly "share the wealth" with hundreds, thousands, or even millions of users, depending on the popularity of the site and the demographic visiting it. The result? Serious problems for your site, your visitors, and—if someone else finds the hack before you do—your credibility and success.
Fortunately, with a little preparation and the right tools, you can quickly and easily identify whether or not your site's been hacked. Follow this simple checklist to check your site for hacks and get it back in fighting trim.
Checking Your Site for Hacks
- Take a look at your files. If you're familiar with code and your site files (and if you manage your own site, it's a good idea to get familiar as soon as possible), the first step is to examine your site files and code for problems. What kind of problems? Most hackers attack modern websites at three critical points:
- .htaccess files
- .php files
- media files
These file types lend themselves to exploitation by hackers, particularly if you have a lot of unnecessary files cluttering up your site's file folders (e.g., test databases that never got deleted, extra .php files, media files stored in non-secure locations). Hackers can insert hidden links to malicious sites, or embed code right in these files. One particularly nasty trick is to encrypt the code with base64 encoding, especially at the end of .php files. This effectively disguises links, malware and other bits of evil behind seemingly innocuous code. A quick search for "base64" throughout your entire site is a good way to find these lurkers.
- Take advantage of security tools. A quick scan with a handful of security utilities is extremely useful if you're not comfortable examining your own files and code. In fact, using these tools, in succession, is a smart idea even if you are comfortable with checking your own code.
- Google's safe browsing checker will scan your site and return detailed information about the last time Google crawled the site, any suspicious activity associated with the site, and whether your site has been identified as a distributor of, or intermediary for, malware. It takes seconds, and is absolutely free. Just type the following into your browser and replace "yourdomain.com" with your actual domain:http://www.google.com/safebrowsing/diagnostic?site=yourdomain.com
- Google Webmaster Tools provide essential tools for any webmaster, including checks that determine the overall health of your site. If you haven't done so already, set up Google Webmaster Tools on your site. Once you're set up and Google has analyzed your site, go to the "Malware" category to find out what, if any, malware exists on your site.
- Securi SiteCheck is an online service that scans your site and identifies any problems. Securi SiteCheck's scanner looks for:
- Viruses (including embedded trojans)
- SPAM and blacklisted site references
- Obfuscated JavaScipt Injections
- Hidden & Malicious iFrames
- Phishing Attempts
- Cross Site Scripting (XSS)
- Malicious Redirects
- Backdoors (e.g., C99, R57, Webshells)
- SQL Injections
- IP Cloaking
- Social Engineering Attempts
Securi's manual scan is free, but the company also offers various additional services, including an $89.99/year plan that will monitor your site for attacks and keep it clean as necessary.
- A platform-specific scan is useful if you've built your site using a Content Management System (CMS) such as WordPress or Joomla! Tools like the Theme Authenticity Checker (TAC), Better WP Security, or Exploit Scanner plug-ins for WordPress will comb through the entire contents of your site, pinpointing suspicious code and links for easy removal. Joomla! users can take advantage of tools like Jamss.php, a plug-in script that scans Joomla! sites and identifies potential problems.
- Google's safe browsing checker will scan your site and return detailed information about the last time Google crawled the site, any suspicious activity associated with the site, and whether your site has been identified as a distributor of, or intermediary for, malware. It takes seconds, and is absolutely free. Just type the following into your browser and replace "yourdomain.com" with your actual domain:
Cleaning a Hacked Site
Before you delete anything, always make a full back-up of your site. That way, you won't be stuck at square one if something unforeseen happens.
Once you've identified the suspicious code and links on your site, the best way to clean them is to find and download the affected files, using your FTP application. Make the necessary deletions and modifications, and then re-upload them, replacing the infected files with the clean ones. When this is complete, give your entire site another thorough scan to make sure you didn't miss anything during your repairs.
When the scans come back clean, and you've removed all unnecessary files, be sure to change all of your passwords, including your WordPress passwords, admin account passwords, and the passwords for your FTP, Hosting Control Panel, and SSH accounts. This will make your site even more secure and help prevent hackers from exploiting old passwords to regain access to your site.
Also, be aware that some especially fiendish malware will install a scheduler on your server. By adding a task to your Cron Jobs (or similar scheduler), these applications can reinfect your newly-cleaned system again and again unless you remove the Cron Job. If your server uses Cron Jobs, access your scheduler (usually via your hosting control panel, e.g. cPanel) and delete any suspicious tasks.
Guarding Against Future Hacks
Even if your site comes back with a clean bill of health, you can take a few necessary precautions to help keep it that way.
Monitor your site regularly. If your hosting provider offers site monitoring as a service, consider taking advantage of it. Or, if you use Google Analytics, you can monitor your site for unusual traffic patterns or other suspicious behavior, and run a site scan as necessary to make sure your site hasn't been compromised.
If you see a spike in SPAM, traffic from unexpected places (e.g., a sudden increase in Finnish visitors to a local tractor supply store site in Iowa), old content that's suddenly revitalized or pulling a suspicious number of comments, or anything that cannot be readily explained as "normal" for your site, it's a good idea to examine your site files for problems.
Be proactive with your security. Using a strong password generator, regularly changing your passwords, keeping administrator accounts to a minimum, and removing all unnecessary content from your site can go a long way toward keeping your site safer from hack attacks. If visitors don't need write permissions on your site for uploading or anything else, block those functions on your site. Protect sensitive folders and files (including databases) with strong passwords as well. The goal is to keep the security settings on your site as high as possible, while still allowing visitors to use and enjoy your site.
If you use a CMS to create and manage sites, be sure only to use themes and plug-ins from reputable and safe providers, and remove any unused themes or plug-ins promptly. Keep your core installation up to date, since outdated software is the number one inroad for hackers who attack CMS-generated sites.
A hacked site isn't the end of the world, but it can cause major headaches for you, your visitors, and any other servers unfortunate enough to be infected with malware, viruses, or SPAM spread by your site. Taking the time and effort necessary to monitor, scan, and clean your site on a regular basis can help you protect your site, your customers, and your reputation.
Further Reading and Resources
We have more guides, tutorials, and infographics related to websites and hacking:
- Major Hacks and Cyber Attacks: Are We Prepared? Check out the scale of cyber attacks and what is being done to stop them.
- Which Is the Most Secure Browser? not all web browsers are as secure as others. Find out what you can do to make your browing as safe as possible.
- These 14 Devices are Shockingly Easy To Hack: some things shouldn't even be connected to the internet.
Is Your Home Safe From Hackers?
It's not just your websites. Check out our infographic, Is Your Home Safe From Hackers? (Researchers Say, "Probably Not"). It's scary, but really interesting