Website Hacked?  7 Free Ways to Tell

cybersecurity training

Website hacked?  Are you worried that it might be?

More importantly, would you even know if it is?

Are you a website hacking target? 

You might think that your business is too small to be hacked.

Think again.  You’ll be blown away by these stats, courtesy of a terrific article by Joey Song:website-hacked-71-percentwebsite-hacked-36000-dollars

And what are they after?  Your data.  Websites are the gateway to customer data, patient data, and credit card data.  These are tempting targets for cyber criminals.

Don’t believe it?  Here’s more evidence:

In 2013, 44% of small businesses were hacked.  It’s gone up since then.  And dealing with a hack isn’t cheap:

Fox Business headline noting that cyber-attacks cost small businesses nearly $9,000, highlighting financial risks of website breaches.

If you’re in the UK, the news is even worse:

Graphic showing that 90% of large organizations and 74% of small businesses had a security breach—both rates up from 81% and 60%, respectively.

And

Graphic showing average cost of the worst security breach: £1.46 million–£3.14 million for large organisations and £75 k–£311 k for small businesses.

Why does a hack cost so much?

If your website is hacked, there’s a lot of things that you’re going to pay for out of pocket.

First, you’ll have to pay for rebuilding your site to erase the damage.  This usually involves:

  • Password changes
  • Restoring from backup (if you have one)
  • Re-creating your whole website (if you don’t)
  • Investigations to figure out how they got in
  • Fixing the vulnerability

The team at WhatArmy has a great summary:

List of website breach cost components: developer repair expenses, admin communication time, investment in preventative services like new hosting, and IT hours spent investigating and resolving issues.

But that’s just the tip of the iceberg.  If the hackers get to any of the DATA that sits behind your website, you’re going to be in a world of hurt.

Here’s a great graphic from the folks at BankTech.com that shows you the costs of a breach…

Table listing average data breach costs (2013): $5 per customer notification; $30 for card cancellation and credit monitoring; $2,000 hourly for forensic examination; $500,000 average legal defense; $1,000,000 average legal settlement; $1,000,000 maximum fines—totaling $5,403,644.

And that’s to say nothing about the soft costs.  Having to notify your customers or patients is not just a hassle, but damages your reputation.

My website host is protecting me from hackers

Maybe you think your web hosting company will protect you?  That they have everything in place to stop a website hack?

Sadly, this isn’t true.  A simple search for popular web hosting services turns up lots of horror stories.

Here’s a bad one for GoDaddy, a popular hosting site, where Arun had his website hacked:

User review describing how four websites were lost due to insecure GoDaddy hosting, mentioning hacking, backup charges, and distrust after years of customer support issues.

A similar story for BlueHost, another popular choice for WordPress, where a website was hacked:

Laptop screen showing warning “My site was hacked. The site ahead contains malware,” illustrating a hacked or malware-infected website alert.

My point is not to beat up these vendors.  Cyber security is hard.

It is NOT ENOUGH to assume that your website hosting company will protect you from hacking.

Dr. Evil meme saying “So you ‘assume’… well, I guess that makes an ‘ass’ out of ‘u’ and ‘me’,” highlighting the danger of assumptions about website security.

Website hacked? 6 Ways to Tell

Unfortunately, no big alarms will go off when hackers attack your website.

But if you pay attention, you can watch for signs of an attack.

Here are 6 free tools that will show you if your site has been hacked:

1) Monitoring for unusual changes.

The team at AtlanticBT recommend that you look for “strange content” showing up on your site if your website is hacked.  Pages you didn’t write, links to weird websites, etc.

Text excerpt explaining that “strange content” such as links to Viagra, knock-off designer goods, and more—on pages you didn’t write—can indicate your site has been hacked and co-opted into a hacker’s network.

Want to get notified any time your site changes?  Here’s a fantastic free tool.

Change Detection is a free service that been available for years.  Enter the pages to monitor and the email address to alerts when pages change, and you’re good to go!

Screenshot of a “Monitor a page” alert form with fields for entering a page address and an email to send notifications, illustrating a solution for detecting unauthorized changes.

The site isn’t much to look at, but you can’t beat the price.

It also gives you a ton of options to configure that let you tailor the alert to just get the information that you want:

Screenshot of a change-detection alert setup form showing page address, title, alert frequency options (day/week/month), and filters to trigger alerts when text is added or removed—used to detect unauthorized website changes.

When one of your pages change (because your website was hacked or because of changes you make), you’ll get an email or RSS alert.

It not only tells you that the page changes, but it will tell you WHAT changes.  So you can go back to your website team and check whether they actually made the change or not.

Screenshot of an automated "ChangeDetection" email alert stating that a monitored page has changed, with a link to see the details.

2) Monitoring for outages

During a website hack, your website might go down.  Hackers might flood your website with so many fake visitors that it’s not available.

It’s super easy (and free!) to set up a robot that checks your website every few minutes to make sure it’s still alive.

We use a free service called StatusCake.  They offer a free tier that confirms that your site is still alive every few minutes.

Once you create an account, you want to create a test.

Website monitoring dashboard showing “You Have No Tests Created!” message with a highlighted “Create a Test” button, prompting users to set up health or content checks.

Put in your desired name and your website address (don’t forget the http or https!):

Screenshot of the “Add Test” interface showing options to select test type (HTTP, TCP, DNS, SMTP, SSH, Ping, Push) and fields to enter test name and URL for monitoring website health.

You can leave everything else as the default, and then click “Save Now” at the bottom of the page.

Now you’ve got a little robot that’s visiting your site every 5 minutes or so.  If your website is hacked and it’s down, the robot will send you an email.

Readers have also suggested www.websiteplanet.com/webtools/down-or-not/.

3) Google FTW!

Google’s Safe Browsing program does a wonderful (and free!) job of keeping track of websites that it knows are compromised.

If you’ve ever gotten a message like this when browsing the internet:

Browser warning screen stating “The site ahead contains harmful programs,” indicating that attackers on the site might attempt to trick users into installing harmful software or changing homepage settings.

That’s Google’s safe browsing program alerting you to a hacked website.

Now the cool thing is that you can check your site’s status on their blacklist as well.  Here’s how to do it:

Step 1: go to https://www.google.com/webmasters/tools/ and enroll your site.

Step 2: log in, and in the left-hand menu click on “Security Issues.”

That’s it!  If your website was hacked and is listed in the Safe Browsing Program, you’d see it here:

Screenshot of Google Search Console “Security Issues” panel stating no security issues detected, with advice to review resources for hacked sites and a note on cross-site malware warnings in the browser.

Have someone check this once a month or so to make sure that there aren’t any problems with your site.

4) Google FTW Part 2!

A few years back, Google bought a super cool service called Virus Total.  Think of it as a giant database in the sky of every virus, Trojan, and compromised website that exists.

It’s incredibly easy to use.  Enter your website, and click “Scan it”.

VirusTotal interface displaying a URL scan option: shows where you enter your site’s URL (e.g., https://adeliarisk.com) and click "Scan it!" to detect malware, trojans, or other threats.

In a matter of seconds, VirusTotal scans your website against 67 different virus scanners.

Here’s what it looks like:

VirusTotal scan results for adeliarisk.com showing detection ratio 0/67 and multiple URL scanners (e.g., BitDefender, Avira, AlienVault) reporting “Clean site,” indicating no malware detected.

Again, check this once every month or so to see if you have any issues.

5) Pay attention to your logs

Your website hosting company tracks everything on website in files called “logs.”  They look something like this:

Screenshot of access log entries showing multiple GET requests for suspicious files like wp-content/plugins/popup-maker and wp-admin-xxx.php—used to detect potential unauthorized access or malware activity.

But what you want to find is a SUMMARY of the logs.  They’ll look different at every hosting company, but they should look something like this:

Traffic dashboard showing visitor and bandwidth summary: graphs with 30-day average and total—292 average visitors, 8,760 total; 248 MB average bandwidth, 7.27 GB total.

Keep an eye on these.  If you see a sudden spike in one or the other, it could mean that you have a hacked website.  Or it could mean that one of your videos has gone viral!

Meme of an excited child writing furiously with the caption “This WILL go VIRAL,” humorously illustrating how quickly hacked content or SEO-spam can spread if unchecked.

Also, keep an eye on your error logs.  A sudden spike in errors either means you’re under attack or there’s something wrong with your site.  Error logs work different from every web hosting company, so reach out to them to find out how they work.

6) Site Scanner

The last free tool that you should try is “Sitecheck” by a company called Sucuri.  It’s super easy to put in your website:

Sucuri SiteCheck “Free Website Malware and Security Scanner” interface showing input field for URL (e.g. adeliarisk.com) and “Scan Website!” button for checking malware, blacklist status, and outdated software.

And it will give you a result:

Screenshot of Sucuri SiteCheck results for adeliarisk.com: “No Malware Detected,” “Not Currently Blacklisted (10 Blacklists Checked),” with low-risk ratings for malware, blacklist, spam, and defacement, and medium risk for missing firewall.

Despite what the last result says, not every website needs a Website Firewall.  If you host customer/patient data on your website, then you do.  Or if you can’t afford for your website to ever be down, then you should definitely consider a website firewall.

Sucuri does a great job of removing malware from compromised sites if you do get attacked.

Sucuri also sells an automated service that monitors your site.  If it finds a problem, it fixes it automatically.

Example browser malware warning saying “The site ahead contains malware,” paired with a section highlighting your site cleanup service—“We Clean and Repair Hacked Websites” for $24.99/month per site.

Conclusion

If you’re not watching your website for attacks, you’re playing a dangerous game of “chicken.”

You need to start paying attention to your site on a regular basis.  If you don’t have time, ask a member of your team to do it.

Still feeling a bit overwhelmed?

Get some free help!  Talk to an Adelia Risk cybersecurity consultant.

Talk to us!

Now it’s your turn.  Have any other tips to share about monitoring your site from hacking?  Any horror stories about your site being hacked?  Leave them in the comments below.

If you liked this article, please share it!

Table of Contents

Picture of Josh Ablett

Josh Ablett

Josh Ablett, CISSP, has been meeting regulations and stopping hackers for 20 years. He has rolled out cybersecurity programs that have successfully passed rigorous audits by the SEC, the FDIC, the OCC, HHS, and scores of customer auditors. He has also built programs that comply with a wide range of privacy and security regulations such as CMMC, HIPAA, GLBA, SEC/FINRA, and state privacy laws. He has worked with companies ranging from 5 people to 55,000 people.

Share

Related Posts

As businesses are digitally transformed, our exposure to risk is changing. In the financial industry, the

The number of reported ransomware attacks exploded in 2020. This guide will give you the knowledge

In today’s digital landscape, ensuring the security of sensitive data is of paramount importance for businesses.

Do you think we might be a good match?