A company discovers their homepage has been replaced with a political message. They find out from a customer screenshot on Twitter. The defacement happened 6 hours ago.
Another company's checkout page has been injected with a credit card skimmer. It runs silently for 3 weeks before a fraud analyst at a bank traces the compromised cards back to their site.
Security incidents like these are not always loud. Attackers often prefer stealth — small changes that go unnoticed while they extract value. The longer the attack goes undetected, the greater the damage.
Website security monitoring detects these changes by continuously checking what your site actually serves to visitors and alerting you when something unexpected appears.
What Security Monitoring Catches
Security monitoring is not a firewall or WAF. It does not block attacks. It detects the consequences of a successful attack — the changes an attacker makes to your site, DNS, certificates, or content.
Defacement
An attacker replaces your website content with their own message. This is the most visible type of attack, but it often goes undetected for hours when it happens overnight or on low-traffic pages.
Detection method: Content validation checks that verify your pages contain expected text and do not contain unexpected content.
Malware and script injection
An attacker injects malicious JavaScript into your pages. Common payloads include:
- Credit card skimmers on checkout pages
- Cryptocurrency miners that use visitor CPU
- Redirect scripts that send visitors to phishing sites
- Keyloggers that capture form inputs
These scripts are often small, obfuscated, and injected into a single page. The rest of the site appears normal.
Detection method: Content change detection that alerts when page content changes unexpectedly. Combined with content validation that checks for known malicious patterns.
DNS hijacking
An attacker changes your DNS records to point your domain to their server. Visitors reach a fake version of your site. Because the domain is correct, most users do not notice.
Detection method: DNS monitoring that verifies your domain resolves to expected IP addresses.
SSL certificate tampering
An attacker issues a fraudulent certificate for your domain (through a compromised CA or DNS hijack) and intercepts traffic.
Detection method: SSL monitoring that tracks certificate fingerprint, issuer, and expiry. A sudden certificate change you did not initiate is a red flag.
Unauthorized redirects
An attacker modifies your server configuration or injects redirect rules. Visitors to your site are silently forwarded to a malicious site.
Detection method: HTTP monitoring that follows redirects and verifies the final destination is your expected domain.
SEO spam injection
An attacker injects hidden content, links, or pages into your site. The content is often invisible to regular visitors but visible to search engines. Your site starts ranking for pharmaceutical or gambling keywords, and Google may flag it as compromised.
Detection method: Content validation checking for unexpected text or links. Monitoring pages that should not exist (e.g., checking that /wp-admin or random URL paths return 404).
How Attackers Modify Websites
Understanding common attack vectors helps you know what to monitor:
| Attack Vector | What Changes | How to Detect |
|---|---|---|
| Compromised CMS admin | Page content, theme files, plugins | Content validation on key pages |
| SQL injection | Database content, user data | Content checks on data-driven pages |
| Supply chain (compromised dependency) | JavaScript bundles, CDN resources | Content hash monitoring, subresource integrity |
| Server compromise (SSH/RDP) | Any file, server configuration | HTTP checks + content validation + DNS monitoring |
| DNS registrar compromise | DNS records | DNS resolution monitoring |
| CDN/hosting account compromise | Served content, SSL certificates | Content validation + SSL monitoring |
| Git repository compromise | Deployed code | Post-deploy content validation |
| Stolen credentials (CMS/hosting) | Anything accessible through the panel | All monitoring types |
Building a Security Monitoring Strategy
Layer 1: Availability monitoring
The foundation. If your site goes down entirely, that is the most obvious sign something is wrong:
- HTTP/HTTPS checks every 1 minute on all public endpoints
- TCP port monitoring on web servers, databases, and admin panels
- Multi-region checks to detect localized attacks or DNS poisoning affecting specific regions
Layer 2: Content integrity monitoring
This catches the attacks that do not take your site down but change what it serves:
- Content validation on critical pages — verify expected text appears
- Negative content validation — verify unexpected content does not appear (e.g., gambling keywords, unfamiliar script tags)
- Content change detection — alert when page content changes outside of expected deployment windows
Which pages to check:
| Page | What to Validate |
|---|---|
| Homepage | Company name, navigation elements, expected content |
| Login page | Correct form action URL, no injected scripts |
| Checkout/payment page | Expected payment provider, no foreign scripts |
| Contact page | Correct contact information |
| Footer (any page) | Expected links, no injected spam links |
Layer 3: Infrastructure integrity monitoring
Detect attacks on the infrastructure layer:
- DNS monitoring — verify A records, CNAME records, and MX records resolve to expected values
- SSL monitoring — track certificate issuer, fingerprint, expiry, and chain
- Port monitoring — detect unexpected open ports (may indicate backdoors)
- Redirect chain monitoring — verify redirects go to expected destinations
Layer 4: Deployment pipeline monitoring
Secure the deployment process itself:
- Heartbeat monitoring on CI/CD pipelines — detect if deployments stop running
- Post-deploy content validation — verify deployed content matches expectations
- Build artifact integrity — validate what was deployed is what was built
Response Time as a Security Signal
An unexpected change in response time can indicate a security issue:
- Sudden increase — May indicate a DDoS attack, cryptominer consuming resources, or an attacker exfiltrating data
- Sudden decrease — May indicate your site is being served from a different (attacker-controlled) server
- Intermittent spikes — May indicate the server is processing malicious requests alongside legitimate ones
Set response time alerts with both upper and lower bounds. A site that normally responds in 400ms but suddenly responds in 50ms is suspicious — it may mean the response is coming from somewhere else.
Monitoring for Specific CMS Platforms
WordPress
WordPress is the most targeted CMS. Monitor:
- Login page (
/wp-login.php) — Verify it loads correctly and is not compromised - Admin panel (
/wp-admin/) — Should redirect to login for unauthenticated users - Content pages — Validate content on homepage and key landing pages
- Common malware paths — Check that paths like
/wp-content/uploads/*.phpreturn 403 or 404 - Plugin update pages — If a plugin is compromised, functionality may break
Shopify / E-commerce
- Checkout flow — Verify the payment page loads and contains expected payment provider
- Product pages — Check that prices and content are correct
- Cart functionality — Verify add-to-cart works
- External script sources — Monitor for unexpected third-party scripts
Custom applications
- Login and authentication flow — Verify the auth provider is correct
- API responses — Check for unexpected data in API responses
- User-facing pages — Content validation on all key pages
- Admin endpoints — Should not be publicly accessible
Alert Strategy for Security Events
Security alerts need different handling than standard uptime alerts:
Immediate escalation
- DNS record change detected
- SSL certificate changed unexpectedly
- Content on checkout/payment page changed
- Login page content changed
- Site content replaced entirely (defacement)
These should trigger SMS and phone alerts to the security team, not just email.
Investigation required
- Unexpected content change on any page
- New redirect detected
- Response time anomaly (significantly faster or slower)
- Unknown port responding
These should trigger alerts to the on-call team with instructions to verify within 30 minutes.
Informational
- Content change during a known deployment window
- SSL certificate renewed (expected)
- Minor response time variation
These can be logged for audit trails without immediate alerting.
Common Mistakes
Only monitoring availability
A site that returns HTTP 200 can still be compromised. Content validation is essential for security monitoring. Checking the status code alone misses defacement, script injection, and content manipulation.
Not monitoring payment and login pages
These are the highest-value targets for attackers. Skimming scripts on checkout pages and credential-harvesting modifications on login pages cause the most damage. Monitor them with content validation, not just uptime checks.
Monitoring only from one region
DNS hijacking and BGP attacks can affect specific regions. A visitor in Europe might reach your real server while a visitor in Asia reaches the attacker's server. Multi-region monitoring catches localized attacks.
No baseline for expected content
If you do not define what your page should contain, you cannot detect when it changes. Set up content validation rules that check for specific text strings, expected script sources, and correct form action URLs.
Ignoring certificate changes
SSL certificate monitoring is often treated as "check for expiry." But a certificate that changes unexpectedly — different issuer, different fingerprint — outside of a known renewal is a security event.
How Webalert Helps
Webalert provides the monitoring layers needed to detect security incidents:
- Content validation — verify pages contain expected content and catch unauthorized changes
- Content change detection — alert when monitored pages change unexpectedly
- DNS monitoring — detect record changes and potential hijacking
- SSL monitoring — track certificate fingerprint, issuer, and expiry
- Multi-region checks — detect localized attacks from global vantage points
- Response time tracking — catch anomalies that indicate compromise
- 60-second intervals — minimize the window between attack and detection
- Multi-channel alerts — Email, SMS, Slack, Discord, Teams, webhooks for immediate escalation
- Status pages — communicate security incidents to customers transparently
See features and pricing for details.
Summary
- Website security monitoring detects the consequences of successful attacks: defacement, malware injection, DNS hijacking, and unauthorized changes.
- Content validation is the most important security monitoring technique. A 200 status code does not mean the content is correct.
- Monitor critical pages (homepage, login, checkout) with content validation, not just uptime checks.
- DNS and SSL monitoring catch infrastructure-level attacks like domain hijacking.
- Response time anomalies can indicate DDoS, cryptominers, or content served from an attacker's server.
- Use multi-region checks to detect localized attacks.
- Escalate security alerts immediately — defacement, DNS changes, and payment page modifications need rapid response.
Uptime monitoring tells you the site is reachable. Security monitoring tells you it is yours.