A “black box” is a technical term that is used to describe devices, systems, or objects where you can observe the input and output but don’t really know what is going on behind the scenes.
Websites are a good example of a black box in that we often only know what goes in and comes out but not what code is running or why. (Between the core website software, plugins, and third-party scripts, a lot of the time there is just too much code running to know what all of it is doing.)
That is part of the reason why it is sometimes hard to tell, for example, whether your site has been hacked or it is acting strange for some other reason.
It doesn’t matter how big or small your site is, hackers are still going to try to get in and cause havoc. Some will do it for kicks, while others are getting paid to either attack your visitors or send them to another site.
Here’s a list of 8 ways you can tell that your site might have been hacked.
Edit: This post is also available in the form of an infographic.
1. The site has text, images, or links that you didn’t insert.
One of the more common reasons that sites get hacked is so that the hacker can add a link to some other illicit site in the hopes that people will click the link and visit that other site.
And sometimes a hacker will break into a site to leave his mark just to show they could, which is why strange content appearing on your site is often a sign that it has been hacked.
On the other hand, you might have accidentally uploaded something and forgotten it, or accidentally inserted the wrong image or link (been there, done that, got the t-shirt).
2. Chrome and other web browsers are telling your visitors your site has been hacked.
Most web browsers will now warn users when they try to visit a site that was hacked and infected with malware or other dangerous content.
Chrome will even block users from visiting and instead show them a red splash screen with a warning that it’s not safe to visit a site because of malware, phishing, or other issues.
On the other hand, sometimes web browsers jump to the wrong conclusion. There might be nothing wrong with your site, and you will need to confirm the issue exists.
3. Your hosting company takes your site offline because they found malicious code.
Many website hosting companies have their own security software running on their servers, watching all of the sites on the servers. If those automated systems report that your site has been hacked, some hosting companies will immediately take your site offline and then send you an email.
They might even take the extreme measure of deleting your site to keep the malware off their servers, but that is rare. (If it happens to you, you should switch to another hosting company.)
On rare occasion the hosting company might be trying to get you to pay for a security option you don’t need, or they might have made a mistake. This is very unlikely, however.
4. The site now automatically redirects to another website.
Sometimes hackers will insert a tiny bit of code that forces all visitors to immediately leave your site and go to another site where they might be attacked by malware, harassed with ads for viagra, or tricked into providing their credit card info.
I just helped a friend fix her site after someone hacked it and redirected all visitors to a (deleted) page on Facebook. We never did find out why the hacker did that, but we were able to fix the site.
On the other hand, a tech at your hosting company may have changed a setting by accident. This is unlikely, however.
5. An online site-scanning tool finds malware on your site.
Web security companies like Sucuri and Comodo offer free online scanning tools that will look at your site and tell you if it has been hacked. You just have to provide your domain and click the scan button, and these tools will check for any external sign that your site has been hacked.
Note: I would recommend against googling for security scanners because the search results will include scammers who will lie to you and say you’ve been hacked just to get you to pay them to clean up your site.
On the other hand, these online scanning tools do sometimes return false positives. This is unlikely, however.
6. Google Search Console warns that your site has been hacked.
Google Search Console (formerly Google Webmaster Tools) is a free service that Google provides to website owners. Sign up for an account and it can tell you how many people find your site through Google’s search engine, what words they used, etc.
One of Google Search Console’s other features is that it keeps track of sites that have been hacked. If your site gets hacked, you will get an email from GSC with the bad news.
You need to take that email seriously, because if Google thinks your site has been hacked they will remove your site from its search results.
7. Your site suddenly has new admins user accounts doing who knows what.
If they can get in undetected, hackers will sometimes set up admins accounts so they can have complete access to your site. They might even delete your account or otherwise lock you out of the site.
If you find a strange admin account, and you are sure you didn’t authorize it, you should get expert help right away.
On the other hand, some of those mysterious accounts might belong to your web designer, or the techie who helped you with the site ages ago, or one might have been added by your hosting company so they could help you solve a problem.
8. Visitors complain that their antivirus or firewall software is flagging your site.
Sometimes the first clue that your site has been hacked comes from a visitor whose antivirus caught your site trying to infect the visitor’s computer with malware or tries to force the visitor’s web browser to go to another site.
On the other hand, sometimes the antivirus will jump to the wrong conclusion and report a false positive. This is unlikely, however.
O O O
Fixing a site after it was hacked can be incredibly frustrating and difficult. This is why I recommend that you hire experts to clean up your website.
If I were tasked with cleaning up a hacked site, the first thing I would do is hire Sucuri to fix the immediate problem, and then after they undid the damage caused by the hacker I would go in and secure the site by adding a firewall, making sure that passwords were secure, removing any plugins that were no longer required, etc.
But the best time to secure a site is before it gets hacked. If you would like to secure your site, here is a PDF with 15 steps you can take.
Please let me know if you need help.