Como saber se meu site foi hackeado (e o que fazer antes do Google te punir)

The question usually arrives in a panic: "I think my site was hacked, what do I do?". And almost always the person only noticed because one of three things happened:

1. Google started showing "This site may harm your computer" in the results.
2. The hosting provider suspended the account for abuse.
3. A customer complained that the site opens weird stuff on mobile.

In all three cases, the breach happened days or weeks earlier. The signs were there.

The signs that show up first

Before Google and before the host, you can spot it yourself — if you look.

1. Search results with text that isn't yours

Search Google for: site:yoursite.com (with site: glued, no space). All indexed pages appear. Look at the titles and descriptions. If you find:

• Pages with names of medications, casinos, replicas, viagra, cialis
• Titles in Japanese, Chinese, Russian for no reason
• Strange URLs like /wp-content/uploads/2023/cheap-shoes.html

…your site was hacked. The attacker created hidden pages to exploit your domain's SEO — to sell links, sell fake products, distribute malware.

2. JavaScript you don't recognize

Open the site in the browser, View Source (Ctrl+U). Search for <script> and look at the content. Signs of trouble:

• eval(atob(...)) — base64-obfuscated code, almost always malicious
• String.fromCharCode(...) with dozens of numbers — another way to hide code
• Scripts loaded from domains you've never heard of (*.ru, *.tk, raw IPs)
• document.write injecting iframes

3. A redirect that only happens on mobile or from Google

A classic: the site opens normally when you type the URL in Chrome desktop. But when you click a Google result from your phone, it goes to a casino page. This is called cloaking — the malware checks the User-Agent and Referer and only attacks specific users.

To test: grab your phone, search for your site on Google, click through the result. Don't type the URL directly.

4. Sudden slowness and high CPU in the panel

Your hosting panel shows CPU spikes that never existed. The site got slow. Your server is probably being used to mine crypto or send spam — two favorite payloads of whoever breaks in.

5. Files you didn't create

If you have SSH/FTP access, list files modified in the last 30 days. On WordPress:

find /path/wordpress -name "*.php" -mtime -30

Common suspicious files:

• wp-content/uploads/*.php — uploads shouldn't have PHP
• wp-content/plugins/<random-name>/ — a plugin nobody installed
• wp-config.bak, info.php, shell.php, r57.php — classic webshells

6. Admin logins you didn't make

WordPress panel → Users. Is there an admin with a strange name? Logged in recently from an IP that isn't yours? You're already compromised.

Why it takes so long to find out

Most of these signs are invisible in normal use. The attacker wants it that way. The spam pages are created in subdirectories you never visit. The malware only activates for visitors coming from Google. The webshell stays quiet until someone needs to use it.

What warns you first about the damage are:

• Google Safe Browsing — when it classifies your site as "Deceptive site ahead". From then on, Chrome, Firefox and Safari block access.
• URLhaus, OpenPhish, Spamhaus — public lists of malicious domains. If you land on them, emails from your domain start going to spam.
• Wordfence / Sucuri / VirusTotal — their own malware databases.

When your domain's name enters one of these lists, recovery is slow and painful: clean the malware, request a manual review, wait days, losing traffic the whole time.

How to monitor before the damage

The ideal is to scan your own site periodically, from the outside, the way Google would. Looking for:

• Patterns of obfuscated JavaScript (eval/atob, fromCharCode in volume)
• Hidden content with pharma/spam words (display:none, off-screen)
• External iframes pointing to suspicious domains
• Forms with an action on an external domain
• Automatic redirects in JS or meta refresh
• Cloaking: what the site shows Googlebot vs. a normal user

And cross-reference the domain with public threat-intel feeds — URLhaus, OpenPhish — to know if you've already landed on a blacklist.

What Sentinela does

Sentinela's Malware Scan probe does exactly this, automatically, week after week:

• Crawl of the home + 10 internal links
• Detection of obfuscated JS (eval, atob, fromCharCode, packers)
• Hidden content with pharma/spam vocabulary
• Suspicious external iframes
• Forms with an external action
• JS redirects and meta refresh
• Cloaking — compares what the site returns to Googlebot vs. normal Chrome and alerts on a diff ≥40%
• Cross-references your domain with URLhaus + OpenPhish synced daily

And for WordPress users: it detects the version, installed plugins, themes, and cross-references the Wordfence Intelligence feed to warn you of a known CVE with an active exploit — before the drive-by bot finds you.

It runs automatically, 14 days free, and you're warned by email or Telegram the same day something appears.

If it already happened

If you've read this far already in a panic because your site is showing strange things:

1. Don't delete the files immediately. Take the site offline (Maintenance Mode, or return 503), but preserve the files for a few days — you'll need them to understand how the attacker got in.
2. Change all passwords — site admin, database, FTP, hosting panel, linked email.
3. Update everything — WordPress core, plugins, themes. Most breaches use an outdated plugin.
4. Restoring a backup from before the breach is the cleanest path — if you have a backup.
5. Request a review from Google Search Console after cleaning.
6. Set up monitoring so that next time you're the first to know, not the last.

The breach isn't the end of the world. Finding out three weeks later is.