Detect and avoid hacked websites

More and more websites are being hacked.
Find out how to recognize a hacked website and what you can do to avoid hacker attacks here.

For as long as there have been websites, there have been people hacking websites.
The reasons are diverse and range from pure malice, idealistic reasons (to show people that they should care more about security vulnerabilities) to criminal backgrounds such as stealing data, redirecting traffic, making money from placed advertisements, which are probably the most common reasons for hacked websites.

How do I know if my website has been hacked?

If you suspect that your website has been hacked, it is probably due to one or more of the following reasons:

  • The website is no longer accessible. Nothing is visible under the domain or you get an error message with 404 or 503. A "broken" website can also have other causes and it does not necessarily have to be a hacker attack behind it.
  • On the website things are displayed, which have not been entered, e.g. obscene pictures or links to dubious pages. This may not only affect the home page, but may also occur on isolated sub-pages. It is important to check the entire website including all subpages.
  • If you access the website via a search engine, e.g. Google, redirects are caused. This does not happen when you access the website directly by entering the URL in the browser, but only when you click on the website in the search results in Google Search. You will then end up on dubious websites that either offer questionable content or websites that specifically want to spread viruses.
  • Google and other search engines index content that is not visible on the website. The content is there on the website, but hidden and not safe for normal visitors. Only the search engine crawler sees this content and includes it in the index. The consequence is that one finds one's own website in the search results for dubious search terms.
  • In the backend, there are user names that you have not created yourself. These users usually have administrator rights and have full access to the website.
  • There are plugins or extensions installed that you did not install yourself. In the case of WordPress, these can be plugins that enable file uploads. With the help of these plugins, files with file extensions such as .php or .js are subsequently uploaded, which are then called and executed via the browser. Invoking and executing these files can cause significant damage to the server.
  • The navigation in the website links to dubious external pages. It may also be that not only the navigation is affected, but also links in the cookie banner or simple links in the content or footer.
  • There are files with cryptic names and cryptic contents on the web server.
  • The website has already been detected as hacked by Google and blacklisted.
  • Google Search Console shows security issues.

What website hacks are out there?

There are countless different hacks that target different things. The most commonly used hacks are the following:



Phishing is an attempt to obtain customer data and steal their identity. They are after e-mail addresses and passwords, as well as credit card and bank data. The data is read and stolen in the hope that it can be reused elsewhere and used to make money, or the data is sold on the darknet.


Infiltrating content - SEO spam / content hack / Google hack (cloaked keywords)

Keywords and links are placed on the website so that the own website is placed in the search engines for dubious keywords. The content is placed on the website in such a way that it is not or only barely visible. Either it is invisible or very far down, so that you have to scroll very far down to see the content at all. This content is picked up by the search engines and thus a ranking is achieved for the keywords in the Google search. It can also happen that not only content on existing pages is infiltrated, but also complete pages are infiltrated, which are then indexed by Google. This hack is often only noticed by chance.



It redirects website visitors to spam pages.
There are several ways to do this:

  • The redirection to the spam page takes place directly when the page is opened
  • The redirection to the spam page occurs only when clicking on a search result in Google search
  • The redirection takes place when clicking on a navigation point
  • The redirection takes place when clicking into the cookie banner

It may happen that the redirects are not always applied, but only on the first X calls to a website. Behind this, IP addresses are logged and after a certain number, redirects for the IP are no longer executed. This makes it more difficult to find the hacks and conveys to the people behind the screen that maybe it was just a temporary malfunction or maybe you clicked somewhere wrong.



A mail interface of e.g. WordPress is exploited and countless spam emails are sent via the own mail server. Usually, the mail is sent until it is blocked by the hoster or the daily limit of emails is reached.


More information about the various hacks can also be found in Google's spam policy.

How do the hackers get into the website?

Hackers usually exploit security vulnerabilities in the CMS itself or the plugins used. However, it is also possible for hackers to gain access via security holes in PHP, MySQL or server management software.

Another attack surface is provided by insecure passwords, login screens that are not encrypted with SSL or upload fields in forms such as contact forms.

If you use access data for a CMS backend that has been leaked somewhere, this is of course also a security risk.

Insufficiently secure passwords for the email address can also become a trap, since the email address is used to reset the password on the one hand, and on the other hand access data for the CMS in the email account can often be found in old emails.

    How can I protect myself from hacker attacks?

    To be spared from hacker attacks, you can take precautions to avoid opening security gaps in the first place. Preventive work is the only way to protect yourself from successful attacks. Hackers will still attack, but they will not be able to open the door if it is well barricaded from the inside.

    Here are the most important tips:

    1. Do not use a user named "admin" or "office" for the backend
    2. Use strong passwords and different passwords if possible
    3. Create regular backups
    4. Keep your website updated
    5. Block too many login attempts
    6. Protect your information in the CMS
    7. Delete unused data
    8. Protect the page with SSL
    9. Disable the file editor in WordPress
    10. Use the Google Search Console to monitor keywords
    11. Regularly look at your own website and check it for anomalies
    12. Google yourself and your company at regular intervals and click on the search results

    1. Use secure usernames

    The usernames "admin" or "office" are most frequently used in hacker attacks. In server logs, you can see very well how often there are login attempts with these or other usernames.

    One problem in WordPress is that the WordPress API is basically open to everyone if it is not explicitly blocked. Most sites don't need the API at all (at least not in the frontend), which is why we think it's an unnecessary security hole to have it enabled by default. Nonetheless, you can do cool stuff via the API. SYSSY also uses the API.

    One problem with the API data is that you can read all users and their usernames as well as email addresses. The API query via the URL /wp-json/wp/v2/users returns a list of all users. The API can be called by appending the desired API endpoint to the URL, e.g.

    Once you have the users, you can easily try all usernames with any password until you are successfully logged in.

    You can protect yourself from this by installing a plugin that locks the API, such as Disable WP REST API. This plugin offers the possibility to lock the entire API, but to reactivate individual API endpoints that are needed via the settings. If you have installed the SYSSY plugin, there is a separate item for SYSSY that can be unlocked again.

    You can also lock individual endpoints of the WordPress API via PHP code, e.g. exactly this endpoint for reading the users. Add the following code snippet into the functions.php of your theme and test the endpoint:

    //disable user rest api
    add_filter( 'rest_endpoints', function( $endpoints ){
                 if ( isset( $endpoints['/wp/v2/users'] ) ) {
                               unset( $endpoints['/wp/v2/users'] );
                 if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
                               unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
                 return $endpoints;

    Instead of a user list, an error message will appear.

    If you do not use your own theme, I recommend the use of a plugin.

    2. Use strong passwords and protect them

    Make sure that you use strong and unique passwords for backend, FTP, database and login to the hoster. Also, do not use the same credentials as on Facebook or Instagram. Also the password for the email account should be a secure one and should not be shared with anyone.

    The password for your CMS user should only be used for this website and should be secure:

    • No words from the dictionary or names of cities or countries, e.g. "Linz" would be a very bad password. Also "Linz1234" is not good.
    • Min. 8 characters
    • Combination of letters and numbers
    • Min. 1 special character
    • A password does not have to be cryptic, but can also consist of a phrase that is easy to remember, e.g. MyDADhasaredcar34! or MyCatisnamedMINKIandisseven34!

    Do not send passwords via email and use a password manager to manage your passwords if possible.

    If you have ever been knowingly hacked via Facebook or another platform, do not use this password anywhere. The passwords end up in a database and are used for exactly such purposes.

    At you can check if your email address has already been hacked in an account. If yes, then do not use the password that you have ever used in that account.

    3. Create regular backups

    Make backups at regular intervals and find out how often the hoster makes a backup and how long it is kept.
    Hacked websites are often detected late - after several weeks or months - and the hoster's backups are often gone by then.
    Some hosters offer backups, but the import of these backups is subject to a fee. Here you can also inform yourself in advance.

    For WordPress, there are plugins that automatically create backups and save them, for example, in a Dropbox. It is important that the backups are stored outside the web space where your website is located. In the worst case, the backups can be deleted by hackers.

    4. Monitoring CMS and plugins for security vulnerabilities

    Security updates for CMS and plugins are released at irregular intervals. These updates should be applied quickly, especially for WordPress.

    With popular and very widespread systems like WordPress, the hacking rate is very high. As soon as a security vulnerability for a plugin is published, it means to be fast. Hackers immediately find a way to exploit the vulnerability and start attacking worldwide.

    The more popular a plugin is and the more often it is used, the faster the hackers act, as the probability of causing damage is the highest. Websites are automatically scanned and checked for security vulnerabilities. If a security hole is found, the hackers are more or less already inside.

    With plugins that are used millions of times, such as Elementor, it is even more obvious at first glance whether the plugin is being used. A simple check of the source code provides information about this.

    Our tip is: The more popular the plugin with the security vulnerability, the faster update! Ideally on the same day.

    5. Protect CMS Login

    A popular method to hack a website is to enter a lot of login data into the login mask and try to see if a login works. Popular here is the username "admin", which is tested in combination with password databases.

    For WordPress there are plugins like Limit Login Attempts Reloaded, which locks the IP address after a few failed logins.

    It is also possible to enable the login only for certain IP addresses or generally block the login via a .htaccess login.

    6. Protect your information about CMS

    Different CMS write versions of CMS or plugins in the HTML tag "generator".

    In the case of WordPress writes the CMS itself purely, or also gladly Plugins like WPML, WooCommerce or Elementor write here gladly info with the indication of version numbers.
    In TYPO3 in older versions still the TYPO3 version was written the tag, but in newer TYPO3 versions the version number was omitted and only "TYPO3" appears.

    The tag can look like this:

    <meta name="generator" content="WordPress 6.2.2">

    If the version of CMS or individual plugins is visible here, it is an easy game for the hackers, because it can be immediately detected which version is in use and if there are certain security holes in this version that can be exploited.

    My recommendation is to remove the tag completely. You can do that in WordPress with the following code snippet that you add to your functions.php:

    remove_action('wp_head', 'wp_generator');

    With some themes or used plugins it can be difficult to remove this tag. You may be able to help yourself with a plugin or look for a deactivation in the plugin or theme settings.

    7. Delete unused data

    If you still have old plugins, extensions or themes in your CMS that are not active but still available, you should delete them. Especially if they are outdated and no longer receive updates. Even inactive plugins can represent security vulnerabilities.

    8. Protect the website with SSL

    Always use an SSL certificate, especially if there are things on your website like contact forms.

    An SSL certificate is usually available for free in the form of a Let's Encrypt certificate from your hoster.

    After installing the certificate, it is important to set the URL to https in the CMS settings and to set up a forwarding from http to https. You can usually set up these redirects directly via the backend of the hoster.

    If there is no option to set up a redirect in the hosting package, you can set up the redirect in the .htaccess file on your web server. Here is an example of a redirect to https in the .htaccess:

    <IfModule mod_rewrite.c>
        RewriteEngine On

        #redirect to https
        RewriteCond %{HTTPS} !on
        RewriteCond %{HTTP_HOST} syssy\.net$
        RewriteRule ^(.*)$$1 [R=301,L]

    9. Disable the file editor in the WordPress backend

    In WordPress, by default, you can edit theme files directly through WordPress via Design -> Theme File Editor.

    To disable this function, you can add the following code snippet in wp-config.php:

    ## disable theme editor
    define('DISALLOW_FILE_EDIT', true);


    10. Use the Google Search Console

    A regular look at the Google Search Console can be very informative. Among other things, it shows you with which search terms the page is found most often or which pages are called up most frequently. If you see dubious keywords here, for which you did not expect a ranking, this can be a sign that the website has been hacked. You can also see if there are hits on pages that should not exist and that may have been introduced via a hack.

    If Google detects security problems on your website, you will be notified via Search Console and can act accordingly.
    However, Google usually detects such hacks very late (if at all). And if the problems have reached Google, it is difficult to get good ranking again, because the page will be downgraded accordingly.

    How often do I have to update the website?

    As soon as a security update is released, it should be applied immediately.

    For the WordPress core, this almost always works automatically, unless you have disabled this feature. For the plugins there is also the possibility of automatic updates, but I am critical of this function and would not necessarily trust it. It is important to test the site after updates, especially with big plugins like Elementor or WooCommerce, problems can often occur and you may have to adjust things in the theme to make everything work smoothly.

    Some hosters also provide automatic updates for security releases for TYPO3. A comparison with the hosters is worthwhile here in any case.

    In the case of hacker attacks, it does not matter whether it is the large website of a corporation, the small website of an individual company or a private blog. The hackers don't care. It is simply scanned globally and whoever is unlucky is chosen as a target.

      A few final tips:

      • Register the website in Google Search Console after go-live, then you will be notified about security issues by Google as well.
      • Check the website regularly, both manually and with a software like SYSSY.
      • Update the website regularly, both the CMS core and the plugins and themes.
      • Update your website whenever it is necessary and not just once a year. It's best to use a tool that notifies you of security vulnerabilities. SYSSY is happy to help you with this.

      Your website has been hacked?

      We can help you clean up your website.

      Get help now

      Get support for website management

      Want help with website management?
      SYSSY works for you in the background

      Register now for free

      This might also interest you

      We have investigated a hacked WordPress website and tried to find out what happened.

      How to track down the hack and the conclusions drawn from it you…

      Read more

      More and more websites are being hacked. Find out how to recognize a hacked website and what you can do to avoid hacker attacks here.

      Read more
      SYSSY GDPR chek

      Here are tips on how to quickly and easy check your website for compliance with the GDPR.

      Read more