How to Confirm if Your Website Has Been Hacked
Google Search Console / Security Issues:
If you have your website registered, this interface will provide feedback if a security breach has been detected by Google. You’ll find details in the “Security Issues” menu item, plus Google help files will guide you on ways to protect your site. Just be aware that this alert probably means the hack or infection is probably anything from 1 day to 2 months old and it will be impossible to pinpoint a clean date from this alert.
Google Search Console / Fetch and Render:
This process allows you to render a page in your website and compare how your users see your website against how Google sees your website. Hacked websites often don’t appear to be hacked when viewed in your browser, but Google may see the hack via a change in code or even be directed to an entirely different website that you don’t otherwise see. If the Googlebot version shows a different website, then it’s extremely likely this is because of a hack. If it appears with different content but looks similar, then you will need to examine the differences carefully to confirm if the difference is because of a hack. Ideally, there is not difference. Find the Fetch and Render function in the “Fetch as Google” menu item in the “Crawl” section of Google Search Console.
Google search results page:
Google will report if a site has been hacked so that users have an informed choice as to whether they still want to access the website. Not all hacked websites will do harm to the user’s computer or other device or steal their data. Many hacks have no effect on users at all. Some hacks are designed to place a virus into the user’s computer to steal information or perform other tasks for the hacker. Once Google has signalled that a site has been hacked, there is a manual process to follow to have the label removed. You will need to ensure that hack has been resolved to Google’s satisfaction first, and removal of the label may take weeks for review manually by a Google team member.
Perform a site: search in Google:
Using the site: command in Google search you can bring up all of the pages in your website that Google currently has cached. If pages appear there that definitely don’t belong in your website, then your site may have been hacked even if Google hasn’t classified it as such. To perform a site search simply search: “site:www.yourwebsite.com” in the Google search box. Navigate through all results and examine each result to check they are valid pages. Seeing odd characters, content referring to gambling, drugs or foreign languages that don’t belong on your site are often easy-to-spot signs of hacking.
Checking Indexed Pages in Google Search Console:
The approximate number of pages in your website should be fairly well known to you. If you spot a sudden increase in indexed pages but haven’t added any new pages, then investigate further. Also investigate sudden drops in indexed pages too, because this could be a sign of pages in your website being removed from Google search because of malicious content or damage causing loss of the page. You’ll find this tool in the “Index Status” menu of the “Google Index” section in Google Search Console.
Use FTP to perform a manual investigation of your files:
It’s hard to know exactly what you are looking for when using FTP to access your files, but a web developer familiar with your CMS should be able to help out. Often hackers will use software to inject files into your website. These files can be used to either show new pages or execute other malicious functions. In a lot of cases it may be impossible to detect all of the malicious content and remove it so a re-build of the file system may be required. This might involve having to rebuild the entire website. Some malicious files can be detected by downloading the file system to a computer and running an anti-virus program on them.
Database infections and hacks:
An issue in your database might make a website rebuild essential. There can be thousands of data tables in a database with little ability to identify exactly where the issues are and remove them. Even experienced developers can find this difficult or impossible to resolve without discarding the database and starting again. You’ll need an experienced developer to make an assessment.