If a website has been hacked, the signs are often visible before the problem becomes severe. For a small business site on shared hosting, early detection matters because compromised files, stolen credentials, or malicious redirects can affect visitors, email deliverability, and search rankings. The sooner you identify suspicious activity, the faster you can isolate the issue, restore clean files, and reduce the risk of further damage.
In a hosting environment with a control panel such as Plesk, common warning signs may appear in website files, database content, file permissions, logs, or the behavior of the site itself. Some compromises are obvious, while others are subtle and designed to stay hidden. This guide explains how to check for signs of hacking, what to review in your hosting account, and what to do next if you suspect a breach.
Common signs that your website may have been hacked
A hacked website does not always look broken. In many cases it still loads normally, but with hidden changes in the background. Look for one or more of the following symptoms.
Unexpected changes on the website
- Pages show content you did not publish.
- Text, images, or links have been replaced.
- Spam keywords, pharmaceutical terms, or foreign-language content appear on the site.
- New pages or posts were created without your approval.
- Footer text, contact details, or business information has changed.
Redirects to unfamiliar websites
If users are sent to unrelated pages, scam sites, or ad-heavy domains, this is a strong sign of compromise. Redirects can be caused by malicious code in .htaccess, injected JavaScript, altered CMS files, or a compromised plugin or theme.
Browser security warnings
Visitors may see warnings such as “Deceptive site ahead,” “This site may be hacked,” or malware alerts from browsers and antivirus tools. Search engines may also flag your pages as unsafe. These warnings can appear when malicious scripts, phishing forms, or infected downloads are detected.
Unknown admin users or changed account details
In a CMS like WordPress, check for users you do not recognize, changes in administrator email addresses, or newly created accounts with elevated privileges. Attackers often create hidden admin accounts to keep access after the initial intrusion.
Suspicious email activity
If your domain starts sending spam, or if customers report strange messages from your address, the site or mail account may have been compromised. On shared hosting, a hacked site and hacked mailbox can be related, especially if passwords were reused or weak.
Sudden drop in performance or unusual resource usage
A hacked site may become slow because malicious scripts are running in the background, sending spam, or consuming CPU and memory. In your hosting control panel, look for unexpected spikes in bandwidth, disk I/O, or process usage.
Changed files or unfamiliar file timestamps
Attackers often modify core files, inject code into templates, or upload new PHP files. If you see recently modified files in directories that should be stable, or files with random names in uploads folders, investigate immediately.
Where to check first in your hosting account
When you suspect a compromise, start with the hosting environment and the site’s most important files. If you use Plesk or a similar control panel, you can review several areas without needing server-level access.
File manager and site root
Open the document root of your website and inspect these locations:
.htaccessfor unknown redirects, rewrite rules, or obfuscated text.index.php,index.html, and other entry files for injected code.- Theme and template files for unfamiliar scripts or encoded strings.
uploads,cache, and temporary folders for PHP files that do not belong there.
Malware often uses base64-encoded or heavily obfuscated code. If a file looks unreadable or contains long random strings, compare it with a clean backup or the original package from your CMS.
Hosting logs
Access logs and error logs can help you identify suspicious requests. Look for:
- Repeated login attempts from the same IP address.
- Requests to uncommon PHP files in upload folders.
- POST requests to admin pages at unusual times.
- Access to paths that should not exist on a normal site.
- 500 errors following file changes or suspicious activity.
If your hosting platform keeps logs in the control panel, review the time period around the first signs of trouble. Correlate unusual traffic with file changes or new user accounts.
Databases
Many compromises involve database injection rather than just file changes. Check for:
- Unexpected links added to posts, widgets, or footer content.
- Spam text inserted into pages or product descriptions.
- New administrator email addresses or reset URLs.
- Suspicious records in options tables or configuration tables.
If you are using a managed hosting platform with phpMyAdmin or another database tool, compare current content with a known-good backup. A small hidden change in the database can produce visible spam without altering website files.
Email accounts and mail forwarding
Check whether any mailbox rules, forwarding addresses, autoresponders, or filters were added without permission. Attackers sometimes use compromised hosting credentials to create mail forwarding rules that capture password resets and other sensitive messages.
Technical indicators of a hacked website
Some signs are less visible to visitors but are useful for diagnosing the issue. These indicators matter especially in a shared hosting environment where multiple site components can be affected.
Modified core files
Core CMS files should normally match the official version. If files such as configuration, bootstrap, or load files are changed, they may contain backdoors or malicious includes. Replacing core files from a clean source is often safer than trying to manually remove every suspicious line.
Unknown PHP files in writable directories
Attackers often place web shells or loader scripts in directories that allow uploads. Common hiding spots include image folders, cache folders, and old backup directories. Any executable file in a location meant for static content deserves review.
Suspicious external references
Check source code for scripts loading from unknown domains, especially if those domains use random names or are unrelated to your business. Malicious JavaScript may be used for redirects, credential theft, or injecting hidden links for SEO spam.
Unexpected cron jobs or scheduled tasks
In a hosting control panel, verify scheduled tasks. A malicious cron job can re-infect files, send spam, or restore backdoors after cleanup. If a site keeps getting reinfected after you remove malware, a scheduled task or hidden script may be the cause.
Changed permissions
Overly permissive file permissions can make infection easier. On shared hosting, files that should be read-only may have write permissions open to the wrong users or groups. Review permissions for configuration files, executable scripts, and upload directories.
How to check whether the site content was altered
For small business websites, the most common issue is content manipulation. Use a systematic review rather than checking only the homepage.
Review the homepage and key landing pages
- Open the site in a private browser window.
- Check the visible content and source code.
- Compare the live page with the expected design and text.
- Look for hidden links, unusual font styles, or tiny injected sections.
Check titles, meta descriptions, and headings
SEO spam often changes page titles, meta tags, and headings. Search results may start showing foreign text, casino terms, or unrelated keywords. This can happen even if the visible page looks normal.
Inspect menus, widgets, and footer areas
Attackers often hide links in menus or footers because these sections appear on many pages. A single malicious link site-wide can damage trust and indexing.
Search for unusual words across the site
If your CMS and hosting tools allow it, search site files and database content for suspicious terms such as random strings, pharma keywords, adult terms, or repeated external domains. Large-scale injections often follow a pattern.
How to tell if the compromise is active or historical
Not every suspicious file means the site is currently under attack. Some issues are old leftovers from a previous incident or an outdated plugin vulnerability. The difference matters because an active compromise needs immediate containment.
Signs of an active compromise
- New malicious files continue to appear after deletion.
- Redirects happen only sometimes or only for search engines and mobile users.
- Unknown login attempts continue in the logs.
- Spam emails are still being sent.
- The site keeps changing after cleanup.
Signs of a historical compromise
- The suspicious file is old and no longer executed.
- No further unauthorized logins are visible.
- Backups show the problem started at a specific date in the past.
- The current site is clean after restoring from a known-good backup.
If you are not sure, treat the situation as active until you confirm otherwise.
Practical steps to verify a suspected hack
Use the following checklist to confirm whether the site has been hacked and to limit further damage.
1. Save a copy of the current state
Before making changes, download suspicious files and export relevant logs if possible. This helps with comparison and later analysis. Keep the copies separate from the live site.
2. Change passwords immediately
Update passwords for:
- Hosting control panel access
- CMS administrator accounts
- Database users
- FTP/SFTP accounts
- Email mailboxes connected to the domain
Use strong, unique passwords. If available, enable two-factor authentication for the control panel and CMS.
3. Check recent file changes
Review files modified shortly before the incident. Focus on PHP files, configuration files, and anything in upload folders. Compare suspicious files with clean versions from a backup or official package.
4. Review installed extensions, plugins, and themes
Outdated or untrusted extensions are common entry points. Remove anything unused, abandoned, or installed from an unknown source. Update all remaining components to supported versions.
5. Scan for malware
Use your hosting platform’s malware scanner if available, or run a reputable scanner from the CMS or a security tool. A scan may detect known patterns, but manual review is still necessary because some malware is customized to avoid detection.
6. Restore from a clean backup if needed
If the infection is widespread, restoring a backup from before the compromise may be the fastest safe option. Make sure the backup is truly clean and does not already contain the malicious code. After restoration, apply updates and change credentials again.
7. Remove persistence mechanisms
Check for cron jobs, scheduled tasks, extra admin accounts, unknown forwarding rules, and modified configuration files. If you only delete visible malware without removing persistence, the site may be reinfected.
How small business websites get hacked
Understanding the most common entry points helps you confirm the likely source of the issue. On shared hosting, attacks often target weak or outdated parts of the site rather than the hosting infrastructure itself.
Weak or reused passwords
Reused passwords across hosting, CMS, email, and admin panels make credential stuffing attacks much easier. If one service is breached elsewhere, attackers may try the same password on your website.
Outdated CMS, plugins, or themes
Older software often contains known vulnerabilities. Attackers scan the web for sites running outdated versions and exploit them automatically.
Compromised third-party code
Extensions, widgets, chat tools, analytics snippets, and payment plugins can introduce risk if they are not maintained. Even trusted vendors can have vulnerabilities that need patching.
Insecure file uploads
If your site accepts uploads, attackers may try to upload executable files or hidden scripts. Upload validation and strict permissions are essential, especially on shared hosting.
Phishing or stolen credentials
An attacker does not always need a software exploit. If they obtain login details through phishing, they can modify files, create accounts, or set forwarding rules directly in the control panel.
What to do after confirming the site was hacked
Once you confirm a hack, move from detection to cleanup and prevention.
- Put the site into maintenance mode if needed.
- Notify internal stakeholders and, if relevant, your hosting provider’s support team.
- Replace suspicious files with clean versions.
- Remove unauthorized users, filters, forwarding rules, and scheduled tasks.
- Update all software and extensions.
- Review the access logs for the initial entry point.
- Ask search engines to re-evaluate the site after cleanup if security warnings were triggered.
If your site processes customer data, also consider your legal and privacy obligations under applicable EU rules, especially if personal data may have been exposed. Keep a record of what happened, what was changed, and when cleanup took place.
How to reduce the risk of future hacks
After recovery, apply layered protection rather than relying on a single tool.
- Keep CMS core, plugins, themes, and server-side packages updated.
- Use unique passwords and two-factor authentication where available.
- Limit admin access to only the people who need it.
- Use SFTP or SSH instead of plain FTP when possible.
- Review file permissions and disable unnecessary write access.
- Keep regular offsite backups and test restoring them.
- Monitor logs for repeated login failures or unusual requests.
- Remove unused plugins, themes, and old backups from the live hosting account.
For small business sites on shared hosting, routine maintenance is often the best defense. A simple monthly review of updates, users, logs, and backups can prevent many common attacks from becoming serious incidents.
FAQ
Can a hacked website look normal to visitors?
Yes. Many compromises are hidden in source code, database content, redirects, or background processes. The homepage may appear normal while malware runs invisibly or only affects certain users.
Does a security warning always mean the website is hacked?
Not always, but it should be treated seriously. Warnings can result from malware, phishing content, injected scripts, or a reputation issue. Check files, logs, and recent changes to confirm the cause.
Should I delete suspicious files right away?
Only after saving a copy for review. If you remove evidence too quickly, it becomes harder to identify how the site was compromised and whether other hidden changes exist.
What if the hack keeps coming back?
That usually means one of three things: a password is still compromised, a backdoor remains in the files or database, or a scheduled task is restoring the infection. Review all three areas carefully.
Can my hosting account be affected even if only one site is hacked?
Yes. If multiple sites share the same control panel login, passwords, or file structure, a compromise in one site can spread to others. Check all domains and mail accounts under the same hosting account.
Conclusion
The most reliable way to tell if your website has been hacked is to combine visual checks, file inspection, log review, and database verification. On shared hosting, the signs may appear in redirects, altered content, suspicious PHP files, unexpected admin users, or unusual mail activity. If anything looks wrong, act quickly: secure accounts, isolate the issue, compare against clean backups, and remove all persistence mechanisms before returning the site to normal operation.
For a small business website, early detection and disciplined cleanup are usually enough to limit damage and restore trust. Regular updates, strong authentication, and backups remain the best long-term protection.