Here’s a scenario that plays out thousands of times every day: a website owner goes about their normal routine — checking emails, fulfilling orders, writing content — completely unaware that their website has been compromised for days, possibly weeks.
The hackers aren’t announcing themselves. The malware is doing its job quietly — redirecting visitors, harvesting data, spreading spam, building SEO pages for pharmaceutical sites — all while the site appears to work perfectly from the admin panel.
This is the reality of modern website malware: it’s designed to be invisible to you, and visible to everyone else. Here’s how to find it.
Why You Often Can’t Tell From Inside Your Dashboard
Many malware infections include logic specifically designed to hide from administrators. Redirect malware, for example, often only fires for visitors who aren’t logged into the CMS — meaning you browse your site from your admin account and see nothing wrong, while every visitor gets redirected to a spam site.
Similarly, SEO spam pages are created with rules that hide them from your own IP address. Backdoor shells sit in directories you never manually browse. Injected scripts are obfuscated to blend in with legitimate code.
This is why proactive detection matters — and why simply ‘checking your site’ from your own browser isn’t a reliable security measure.
Warning Sign 1: Unusual Redirects for Visitors
One of the most common malware types redirects your visitors to external sites — pharmaceutical spam, gambling sites, foreign-language pages — while leaving your experience as the logged-in administrator completely normal.
How to check: Open your website in a private/incognito browser window where you’re not logged in. Try visiting from a mobile device. Ask a colleague or friend to visit and report what they see. If they’re redirected somewhere unexpected, you have a redirect injection.
Warning Sign 2: Google Search Results Look Wrong
Run a site search on Google using site:yourdomain.com and scroll through the results. You’re looking for:
- Pages in foreign languages (Japanese, Chinese, Russian) that you didn’t create
- Page titles referencing pharmaceuticals, counterfeit products, or gambling
- Thousands of indexed pages you don’t recognise
- Your normal pages showing strange meta descriptions you didn’t write
Any of these is a strong indicator of an SEO spam injection — one of the most common and damaging malware types targeting websites today.
Warning Sign 3: Google Search Console Security Alerts
If you have Google Search Console set up (and you should), check the Security Issues section regularly. Google’s crawlers often detect malware before site owners do, and they’ll report specific issues here — including malware types, affected URLs, and sample infected pages.
If you receive a Security Issues notification via email from Google Search Console, treat it as an emergency. Act the same day.
Warning Sign 4: Browsers Show Security Warnings
Google Chrome, Firefox, and Safari all use Google’s Safe Browsing database to warn users about dangerous sites. If visitors to your site see a full-screen red warning page, your domain has been flagged and blacklisted.
Check your site’s status directly at Google’s Safe Browsing Transparency Report: transparencyreport.google.com/safe-browsing/search. Enter your domain and see whether it’s currently flagged.
Warning Sign 5: Unexpected New Files or Modified Files
Log into your hosting control panel and browse your file manager. Look for:
- PHP files in your uploads directory (there should be none — only images and documents belong there)
- Recently modified core CMS files you didn’t touch
- Unfamiliar files in your website root or plugin directories
- Files with suspicious names mimicking legitimate system files (e.g. ‘wp-logln.php’ instead of ‘wp-login.php’)
Any PHP file in a location it shouldn’t be — especially the uploads folder — is a serious red flag and should be investigated immediately.
Warning Sign 6: Unknown Admin User Accounts
Log into your CMS and check your user list. If you see administrator accounts you didn’t create, your site has almost certainly been compromised. Hackers create backdoor admin accounts to maintain access even after you change your password or clean an infection.
Do not just delete the account and move on — the presence of an unknown admin account means there’s likely a backdoor elsewhere that needs to be found and removed.
Warning Sign 7: Hosting Account Suspended
If your hosting provider has suspended your account, malware is one of the most common reasons. Hosts monitor for malicious activity — spam sending, outbound attack traffic, infected files — and will suspend accounts that pose a risk to their infrastructure.
A suspension notice from your host should be treated as a confirmed infection until proven otherwise. Contact them immediately to understand what triggered the suspension before attempting to restore access.
Warning Sign 8: Sudden Drop in Traffic or Rankings
A sharp, unexplained drop in organic search traffic or keyword rankings can be a downstream signal of a security issue. Google penalizes infected sites, de-indexes spam pages when detected, and removes blacklisted sites from search results.
If your analytics show a cliff-edge drop in traffic with no obvious cause (algorithm update, seasonal change), cross-reference with a malware scan and Google Search Console security check.
Warning Sign 9: Spam Emails Sent from Your Domain
Is your inbox receiving bounce-back emails from messages you never sent? Are contacts reporting spam from your email address? Hackers often exploit website server functions to send mass spam through your domain — which can get your email domain blacklisted and destroy your email deliverability.
Check your email sending logs through your hosting control panel if you have access, and investigate any unusual outbound activity.
What to Do If You Spot Any of These Signs
- Run an immediate malware scan using a reputable security scanner
- Check Google Search Console for Security Issues notifications
- Change all passwords: CMS admin, hosting, FTP, database
- Document everything you’re seeing for reference during cleanup
- Contact a professional malware removal service — don’t attempt DIY cleanup on a live business site
Sucuri’s free website scanner is a good starting point for a quick external check of your site. For thorough file-level scanning, database checking, and blacklist status across all major databases, Sucuri’s full platform provides continuous monitoring — so you don’t have to wait until you notice something wrong to find out your site has been compromised.
🔎 Don’t wait for a customer to tell you something’s wrong with your site. Set up continuous malware monitoring with Sucuri and be the first to know — not the last.
The difference between a minor incident and a major crisis is almost always how quickly it’s detected. Monitoring gives you that speed.
