Most compromised websites do not go offline. They keep running. The problem is quiet, often for weeks or months, while the site redirects visitors, serves spam pages, or runs code that has nothing to do with your business.
Business owners usually notice something is wrong before they know what it is. A customer mentions a strange redirect. Google flags the site. The hosting company sends a warning. Here are the seven most common signs, and what each one tends to indicate.
1. Unexpected Redirects
Visitors landing on your site are being sent somewhere else, a pharmacy site, a gambling page, a foreign-language storefront. This is one of the most visible symptoms of a compromise. The redirect code is usually injected into core files or the database and often targets visitors coming from search engines while leaving direct traffic unaffected, which is why site owners sometimes do not notice it themselves.
2. Google Safe Browsing Warnings
Google, Firefox, and Chrome display warning pages when a site has been flagged for malware or phishing. If visitors are seeing a red warning screen before reaching your site, Google has already detected and flagged the compromise. You can check your own status at Google’s Safe Browsing site status tool using your domain.
3. Unknown Admin Accounts
Log into your CMS admin panel and look at the user list. An account you do not recognize, especially one with administrator privileges, is a significant indicator of unauthorized access. Attackers create admin accounts to maintain access after the initial entry point has been closed.
4. Hosting Provider Alerts
Hosting companies monitor for malware, unusual resource usage, and outbound spam. An email from your host about suspicious activity, account suspension, or policy violations is a serious signal that requires immediate attention. Do not dismiss these as routine communications.
5. Spam or Unfamiliar Pages Appearing in Google
Search your site in Google using the query site:yourdomain.com and look at what comes up. If you see pages you did not create, often in other languages or about unrelated topics, those are doorway pages injected by an attacker to redirect search traffic. This is a common monetization method for compromised sites.
6. Unusual Server Resource Spikes
If your hosting dashboard shows CPU or bandwidth usage significantly higher than normal without a corresponding increase in legitimate traffic, something is consuming those resources. Compromised sites are frequently used to send spam, run scripts, or participate in attacks on other servers.
7. Files Changing Without Updates
If you have file monitoring in place and core files are showing modification timestamps that do not correspond to any update or maintenance activity, that is a direct indicator of unauthorized file changes. The index.php attack described in the first post of this series shows up exactly this way.
If You Are Seeing Two or More of These
Pause before making changes. The instinct is to restore immediately, but restoring without first understanding what happened and how can put you back in the same position within hours.
Document what you are seeing. Screenshot the symptoms. Note when you first noticed them. Then investigate the entry point before restoring. The steps for that are covered in Post 11 of this series.
If you are not sure where to start, a strategy session is a practical first step. One hour with full transcription means you leave with a clear picture of what happened and what to do next.
Need a plan? Book a one-hour strategy session and walk away with a clear direction for your website, security, or digital strategy. All sessions are recorded with full transcription. $250 — Book a Strategy Call
Want to get to know me first? Book a free 15-minute intro call. No pitch, just a conversation. Book a 15-Minute Call
Cybersecurity Series
- The Hack I Couldn’t Fix Between Matches
- The Same Tools Powering AI Are Being Used to Attack Your Website
- 7 Signs Your Website May Already Be Compromised
