Website Hacked? 7 Free Ways to Tell

cybersecurity training

Website hacked? Are you worried that it might be?

More importantly, would you even know if it is?

Are you a website hacking target?

You might think that your business is too small to be hacked.

Think again. You’ll be blown away by these stats, courtesy of a terrific article by Joey Song:

And what are they after? Your data. Websites are the gateway to customer data, patient data, and credit card data. These are tempting targets for cyber criminals.

Don’t believe it? Here’s more evidence:

In 2013, 44% of small businesses were hacked. It’s gone up since then. And dealing with a hack isn’t cheap:

Fox Business headline noting that cyber-attacks cost small businesses nearly $9,000, highlighting financial risks of website breaches.

If you’re in the UK, the news is even worse:

Graphic showing that 90% of large organizations and 74% of small businesses had a security breach—both rates up from 81% and 60%, respectively.

And

Graphic showing average cost of the worst security breach: £1.46 million–£3.14 million for large organisations and £75 k–£311 k for small businesses.

Why does a hack cost so much?

If your website is hacked, there’s a lot of things that you’re going to pay for out of pocket.

First, you’ll have to pay for rebuilding your site to erase the damage. This usually involves:

Password changes
Restoring from backup (if you have one)
Re-creating your whole website (if you don’t)
Investigations to figure out how they got in
Fixing the vulnerability

The team at WhatArmy has a great summary:

List of website breach cost components: developer repair expenses, admin communication time, investment in preventative services like new hosting, and IT hours spent investigating and resolving issues.

But that’s just the tip of the iceberg. If the hackers get to any of the DATA that sits behind your website, you’re going to be in a world of hurt.

Here’s a great graphic from the folks at BankTech.com that shows you the costs of a breach…

Table listing average data breach costs (2013): $5 per customer notification; $30 for card cancellation and credit monitoring; $2,000 hourly for forensic examination; $500,000 average legal defense; $1,000,000 average legal settlement; $1,000,000 maximum fines—totaling $5,403,644.

And that’s to say nothing about the soft costs. Having to notify your customers or patients is not just a hassle, but damages your reputation.

My website host is protecting me from hackers

Maybe you think your web hosting company will protect you? That they have everything in place to stop a website hack?

Sadly, this isn’t true. A simple search for popular web hosting services turns up lots of horror stories.

Here’s a bad one for GoDaddy, a popular hosting site, where Arun had his website hacked:

User review describing how four websites were lost due to insecure GoDaddy hosting, mentioning hacking, backup charges, and distrust after years of customer support issues.

A similar story for BlueHost, another popular choice for WordPress, where a website was hacked:

Laptop screen showing warning “My site was hacked. The site ahead contains malware,” illustrating a hacked or malware-infected website alert.

My point is not to beat up these vendors. Cyber security is hard.

It is NOT ENOUGH to assume that your website hosting company will protect you from hacking.

Website hacked? 6 Ways to Tell

Unfortunately, no big alarms will go off when hackers attack your website.

But if you pay attention, you can watch for signs of an attack.

Here are 6 free tools that will show you if your site has been hacked:

1) Monitoring for unusual changes.

The team at AtlanticBT recommend that you look for “strange content” showing up on your site if your website is hacked. Pages you didn’t write, links to weird websites, etc.

Text excerpt explaining that “strange content” such as links to Viagra, knock-off designer goods, and more—on pages you didn’t write—can indicate your site has been hacked and co-opted into a hacker’s network.

Want to get notified any time your site changes? Here’s a fantastic free tool.

Change Detection is a free service that been available for years. Enter the pages to monitor and the email address to alerts when pages change, and you’re good to go!

Screenshot of a “Monitor a page” alert form with fields for entering a page address and an email to send notifications, illustrating a solution for detecting unauthorized changes.

The site isn’t much to look at, but you can’t beat the price.

It also gives you a ton of options to configure that let you tailor the alert to just get the information that you want:

Screenshot of a change-detection alert setup form showing page address, title, alert frequency options (day/week/month), and filters to trigger alerts when text is added or removed—used to detect unauthorized website changes.

When one of your pages change (because your website was hacked or because of changes you make), you’ll get an email or RSS alert.

It not only tells you that the page changes, but it will tell you WHAT changes. So you can go back to your website team and check whether they actually made the change or not.

Screenshot of an automated "ChangeDetection" email alert stating that a monitored page has changed, with a link to see the details.

2) Monitoring for outages

During a website hack, your website might go down. Hackers might flood your website with so many fake visitors that it’s not available.

It’s super easy (and free!) to set up a robot that checks your website every few minutes to make sure it’s still alive.

We use a free service called StatusCake. They offer a free tier that confirms that your site is still alive every few minutes.

Once you create an account, you want to create a test.

Website monitoring dashboard showing “You Have No Tests Created!” message with a highlighted “Create a Test” button, prompting users to set up health or content checks.

Put in your desired name and your website address (don’t forget the http or https!):

Screenshot of the “Add Test” interface showing options to select test type (HTTP, TCP, DNS, SMTP, SSH, Ping, Push) and fields to enter test name and URL for monitoring website health.

You can leave everything else as the default, and then click “Save Now” at the bottom of the page.

Now you’ve got a little robot that’s visiting your site every 5 minutes or so. If your website is hacked and it’s down, the robot will send you an email.

Readers have also suggested www.websiteplanet.com/webtools/down-or-not/.

3) Google FTW!

Google’s Safe Browsing program does a wonderful (and free!) job of keeping track of websites that it knows are compromised.

If you’ve ever gotten a message like this when browsing the internet:

Browser warning screen stating “The site ahead contains harmful programs,” indicating that attackers on the site might attempt to trick users into installing harmful software or changing homepage settings.

That’s Google’s safe browsing program alerting you to a hacked website.

Now the cool thing is that you can check your site’s status on their blacklist as well. Here’s how to do it:

Step 1: go to https://www.google.com/webmasters/tools/ and enroll your site.

Step 2: log in, and in the left-hand menu click on “Security Issues.”

That’s it! If your website was hacked and is listed in the Safe Browsing Program, you’d see it here:

Screenshot of Google Search Console “Security Issues” panel stating no security issues detected, with advice to review resources for hacked sites and a note on cross-site malware warnings in the browser.

Have someone check this once a month or so to make sure that there aren’t any problems with your site.

4) Google FTW Part 2!

A few years back, Google bought a super cool service called Virus Total. Think of it as a giant database in the sky of every virus, Trojan, and compromised website that exists.

It’s incredibly easy to use. Enter your website, and click “Scan it”.

VirusTotal interface displaying a URL scan option: shows where you enter your site’s URL (e.g., https://adeliarisk.com) and click "Scan it!" to detect malware, trojans, or other threats.

In a matter of seconds, VirusTotal scans your website against 67 different virus scanners.

Here’s what it looks like:

VirusTotal scan results for adeliarisk.com showing detection ratio 0/67 and multiple URL scanners (e.g., BitDefender, Avira, AlienVault) reporting “Clean site,” indicating no malware detected.

Again, check this once every month or so to see if you have any issues.

5) Pay attention to your logs

Your website hosting company tracks everything on website in files called “logs.” They look something like this:

But what you want to find is a SUMMARY of the logs. They’ll look different at every hosting company, but they should look something like this:

Traffic dashboard showing visitor and bandwidth summary: graphs with 30-day average and total—292 average visitors, 8,760 total; 248 MB average bandwidth, 7.27 GB total.

Keep an eye on these. If you see a sudden spike in one or the other, it could mean that you have a hacked website. Or it could mean that one of your videos has gone viral!

Meme of an excited child writing furiously with the caption “This WILL go VIRAL,” humorously illustrating how quickly hacked content or SEO-spam can spread if unchecked.

Also, keep an eye on your error logs. A sudden spike in errors either means you’re under attack or there’s something wrong with your site. Error logs work different from every web hosting company, so reach out to them to find out how they work.

6) Site Scanner

The last free tool that you should try is “Sitecheck” by a company called Sucuri. It’s super easy to put in your website:

Sucuri SiteCheck “Free Website Malware and Security Scanner” interface showing input field for URL (e.g. adeliarisk.com) and “Scan Website!” button for checking malware, blacklist status, and outdated software.

And it will give you a result:

Screenshot of Sucuri SiteCheck results for adeliarisk.com: “No Malware Detected,” “Not Currently Blacklisted (10 Blacklists Checked),” with low-risk ratings for malware, blacklist, spam, and defacement, and medium risk for missing firewall.

Despite what the last result says, not every website needs a Website Firewall. If you host customer/patient data on your website, then you do. Or if you can’t afford for your website to ever be down, then you should definitely consider a website firewall.

Sucuri does a great job of removing malware from compromised sites if you do get attacked.

Sucuri also sells an automated service that monitors your site. If it finds a problem, it fixes it automatically.

Example browser malware warning saying “The site ahead contains malware,” paired with a section highlighting your site cleanup service—“We Clean and Repair Hacked Websites” for $24.99/month per site.

Conclusion

If you’re not watching your website for attacks, you’re playing a dangerous game of “chicken.”

You need to start paying attention to your site on a regular basis. If you don’t have time, ask a member of your team to do it.

Still feeling a bit overwhelmed?

Get some free help! Talk to an Adelia Risk cybersecurity consultant.

Talk to us!

Now it’s your turn. Have any other tips to share about monitoring your site from hacking? Any horror stories about your site being hacked? Leave them in the comments below.

If you liked this article, please share it!

insurance

Do You Need Cybersecurity Insurance?

It’s a good idea… We have a lot of conversations with our clients about cybersecurity insurance.

by Josh Ablett

email, phi

Is Zoho Email HIPAA Compliant?

Zoho Mail is a popular email platform that’s geared towards businesses. It offers a user-friendly minimalist

by Josh Ablett

nist-800-171, wifi

Access Control (AC) Guide for CMMC Level 2.0 Compliance

Navigating CMMC Level 2 compliance in Access Control (AC) is essential for Department of Defense (DoD)

by Josh Ablett