How to Check If Your Website Has Been Hacked (Free Tools Inside)

Something feels off with your website. Maybe traffic dropped overnight, visitors are complaining about weird redirects, or Google just slapped a “This site may be compromised” warning on your search listing. The question burning in your mind: is my website hacked? You need answers fast — and you need them before the damage spreads. The good news is that you don’t need expensive software or a cybersecurity degree to run an initial website hack detection scan. In this guide, we walk you through exactly how to check if your website is hacked using free tools and manual checks you can run right now. Key Takeaways

• Use free external scanners like Sucuri SiteCheck and VirusTotal for a quick first pass.
• Check Google Safe Browsing status and Google Search Console for security alerts.
• Manually inspect your .htaccess file, JavaScript files, and FTP directories for injected code.
• Search Google for pharma or casino spam pages indexed under your domain.
• If you find signs of compromise, act immediately — every hour counts.

Why Speed Matters When Detecting a Website Hack

A hacked website isn’t just an inconvenience. According to Google, over 10,000 websites are blocklisted every day for malware and phishing. Once your site lands on that list, you lose organic traffic, customer trust, and potentially revenue. The longer malware sits on your site, the deeper it embeds. Attackers install backdoors, inject SEO spam, and harvest visitor data. Early website hack detection is the difference between a quick cleanup and a full site rebuild. If you’ve already noticed warning signs that your WordPress site is hacked, these checks will help you confirm and locate the problem.

Step 1: Check Google Safe Browsing Status

Google maintains a massive database of unsafe websites. Here’s how to check if your site is flagged:

1. Go to Google’s Transparency Report
2. Enter your full domain URL
3. Review the site status

If Google flags your site, it means they’ve already detected malware, phishing pages, or unwanted software. This is a definitive signal that your site has been compromised. Bonus check: Type site:yourdomain.com into Google Search and scan the results. Look for pages you didn’t create — especially ones with titles containing pharmacy keywords, casino names, or products you don’t sell. This is a classic sign of SEO spam injection, where hackers create hundreds of hidden pages on your domain to hijack your search authority.

Step 2: Run a Sucuri SiteCheck Scan

Sucuri SiteCheck is one of the most reliable free website hack detection tools available. Here’s how to use it:

1. Visit sitecheck.sucuri.net
2. Enter your website URL
3. Click Scan Website

Sucuri checks for:

• Malware — malicious code embedded in your pages
• Blocklist status — whether security vendors have flagged your site
• Injected spam — hidden links or content added by attackers
• Outdated software — CMS or plugin versions with known vulnerabilities
• Website errors — server-side issues that could indicate tampering

Review every tab of the results carefully. Even a “low” risk finding deserves investigation. Sucuri’s scanner checks the front-end of your site, so it may miss deeply embedded server-side malware — but it’s an excellent first step.

Step 3: Scan with VirusTotal

VirusTotal aggregates results from over 70 antivirus engines and URL scanners. It gives you the broadest possible perspective on whether your site is flagged.

1. Go to virustotal.com
2. Click the URL tab
3. Paste your website address and hit Enter

VirusTotal will show you which security vendors (if any) have detected something malicious on your domain. If even one or two vendors flag your site, take it seriously — investigate further before dismissing it as a false positive.

Step 4: Review Google Search Console Security Issues

If you have Google Search Console set up (and you should), it’s one of the most authoritative sources for website hack detection.

1. Log in to Google Search Console
2. Select your property
3. Navigate to Security & Manual Actions → Security Issues

Google will tell you exactly what they’ve found:

• Hacked content — pages that were added or modified without your consent
• Malware or unwanted software — code that harms visitors
• Social engineering — phishing pages or deceptive content
• Deceptive pages — pages impersonating trusted entities

Google Search Console also lets you request a review after you’ve cleaned up the issue, which is critical for getting any search warnings removed. If you don’t have Search Console connected, that’s something we set up as part of every web design & maintenance project at eSEOspace.

Step 5: Check for Unfamiliar Files via FTP or File Manager

External scanners catch a lot, but some hacks hide on the server side where scanners can’t reach. It’s time to look under the hood. Connect to your site via FTP (using FileZilla, Cyberduck, or your hosting file manager) and check for:

• Files you don’t recognize — especially PHP files in your root directory, wp-includes, or wp-content/uploads Hackers often upload files with names like wp-config-backup.php, db-cache.php, or random strings like x7hd9.php.
• Recently modified files — sort by modification date. If core files were changed on a date you didn’t deploy updates, that’s a red flag.
• Files in upload directories — the wp-content/uploads/ folder should contain images and media files, not .php Any PHP file here is suspicious.

What to Look For

/wp-content/uploads/2025/malicious-file.php   ← Suspicious /wp-includes/class-wp-backdoor.php             ← Suspicious /index-old.php                                  ← Suspicious If you find files you didn’t create, do not delete them yet. Document everything first. You’ll need this information during the malware removal process.

Step 6: Inspect Your .htaccess File for Injections

The .htaccess file is a favorite target for hackers because it controls how your server handles requests. A compromised .htaccess can redirect your visitors to malicious sites — often without you ever noticing because the redirects only trigger for search engine visitors, not direct traffic. Open your .htaccess file (located in your site’s root directory) and look for:

• Unfamiliar RewriteRule directives — especially ones redirecting to external domains
• Base64 encoded strings — long blocks of random characters are almost always malicious
• Conditional redirects — rules that check HTTP_REFERER for Google, Bing, or Yahoo and redirect only search traffic
• eval() or base64_decode() calls — these should never appear in .htaccess

A clean WordPress .htaccess file is short and simple. If yours is full of code you don’t recognize, that’s a strong indicator of compromise. Example of a malicious .htaccess injection: RewriteCond %{HTTP_REFERER} .*google.* [OR] RewriteCond %{HTTP_REFERER} .*bing.* RewriteRule ^(.*)$ http://malicious-domain.com/redirect [R=302,L] This type of redirect specifically targets visitors coming from search engines — which is why you might not notice it when typing your URL directly into the browser.

Step 7: Scan for Malicious JavaScript

Hackers frequently inject malicious JavaScript into your site’s theme files, plugin files, or directly into the database. This code can steal visitor information, redirect traffic, or mine cryptocurrency using your visitors’ browsers. Here’s how to check:

1. View page source — Right-click on your site and select “View Page Source.” Search (Ctrl+F) for <script tags you don’t recognize, especially ones loading external scripts from unfamiliar domains.
2. Check your theme’s php and footer.php — These are common injection points. Look for obfuscated code or scripts loading from third-party domains.
3. Search for obfuscated code — Look for eval(, fromCharCode(, atob(, or document.write( combined with long encoded strings. Legitimate plugins rarely use heavy obfuscation.

Red Flags in JavaScript

• Scripts loading from domains you didn’t add
• Obfuscated code blocks with random variable names
• Hidden iframes (<iframe style="display:none")
• Code injected before the closing </body> tag that you didn’t place

Step 8: Check Google Search Results for Spam Pages

This is one of the most revealing checks you can perform, and it takes 30 seconds. Open Google and search: site:yourdomain.com viagra OR casino OR payday OR cheap If you see results with spammy titles about pharmaceuticals, gambling, payday loans, or counterfeit goods — your site has been hit with a Japanese keyword hack or similar SEO spam attack. These pages are invisible to you when browsing normally but fully indexed by Google. Also try: site:yourdomain.com inurl:/wp-content/ filetype:php This surfaces PHP files in locations where they normally shouldn’t exist, potentially revealing uploaded backdoors or spam page generators.

What to Do If You Confirm Your Website Is Hacked

If any of these checks come back positive, here’s your immediate action plan:

1. Don’t panic, but act fast. Every hour matters.
2. Document everything — screenshot scan results, note suspicious files, save copies of injected code.
3. Change all passwords — WordPress admin, FTP, database, hosting control panel. Do this from a clean device.
4. Contact your hosting provider — they may be able to provide server logs and additional support.
5. Begin the cleanup process — follow our step-by-step guide on how to remove malware from your website.
6. Get professional help if needed — a thorough cleanup includes checking for backdoors, hardening security, and requesting Google review.

For a comprehensive understanding of website security, our complete website security guide covers everything from prevention to recovery.

Free Website Hack Detection Tools — Quick Reference

Tool	What It Checks	Best For
Google Safe Browsing	Blocklist status	Confirming Google has flagged your site
Sucuri SiteCheck	Malware, blocklists, outdated CMS	Comprehensive front-end scan
VirusTotal	70+ antivirus engine results	Cross-referencing multiple security vendors
Google Search Console	Security issues, hacked content	Authoritative alerts with specific details
FTP / File Manager	Server-side files	Finding uploaded backdoors and shells
Google site: search	Indexed spam pages	Detecting SEO spam injection

Frequently Asked Questions

How do I know if my website has been hacked?

The fastest way to check if your website is hacked is to run it through free scanners like Sucuri SiteCheck and VirusTotal, then check Google Search Console for security alerts. Common visible signs include unexpected redirects, new pages or users you didn’t create, a Google “This site may be compromised” warning, and a sudden drop in search traffic.

Can a hacked website affect my SEO rankings?

Absolutely. Google may blocklist your site, remove pages from search results, or display security warnings that drive visitors away. SEO spam injections can also dilute your site’s topical authority by flooding your index with hundreds of irrelevant spam pages. The longer a hack goes unaddressed, the harder it is to recover your rankings.

Are free website security scanners accurate?

Free scanners like Sucuri SiteCheck and VirusTotal are effective for detecting front-end malware, blocklist flags, and known threats. However, they can’t scan your server-side files or database directly. For a thorough assessment, combine free scanner results with manual server checks and a professional security audit.

How often should I scan my website for malware?

We recommend scanning your website at least once a week using an automated tool and running manual checks monthly. High-traffic sites or ecommerce stores should consider daily automated scanning. Regular scanning catches issues early — before they impact your visitors, your reputation, or your search rankings. Worried your site might be compromised? Don’t wait for Google to flag it. Get a free security audit from eSEOspace — we’ll scan your site for malware, vulnerabilities, and hidden threats, then give you a clear action plan. Need immediate help? Contact eSEOspace today and let’s get your site clean and secure.