The signs your site has been compromised

Hacked websites do not always look obviously broken. Attackers often want to keep your site running while they use it for their own purposes — sending spam, hosting phishing pages, or injecting code that redirects visitors without you noticing. Here is what to look for.

Google warnings in search results

Search for your business name on Google. If your listing shows a warning like “This site may be hacked” or “This site may harm your computer,” Google has detected malicious content and flagged it. This warning will drive visitors away and is one of the most urgent situations to resolve. Check Google Search Console — if you have it set up, Google will have sent you a security alert there as well.

Browser security warnings

Visit your own website in an incognito window (so your browser cache does not hide the issue). If you see a red warning page from Chrome, Firefox, or Safari saying the site is dangerous, your browser has detected a known threat. This is different from an expired SSL certificate — it means actively malicious content has been detected.

Unexpected redirects

Visit your homepage. Does it take you to your actual website, or does it briefly redirect somewhere else — a pharmaceutical site, a gambling site, a login page you do not recognise? Redirect hacks are common and are often only visible to visitors coming from Google, not to you when you visit directly. Check your site from a mobile device you have never used to visit it before, or use a tool like Google’s Safe Browsing check.

New pages or content you did not create

Log into your website and look for pages, posts, or files you did not create. Attackers often add dozens or hundreds of pages filled with spam keywords and links. In WordPress, check Pages, Posts, and the Media Library. In your hosting file manager, look for new PHP files in directories where there should not be any — particularly in upload folders.

Your hosting account has been suspended

Many Canadian web hosts automatically suspend accounts when they detect malware or spam being sent from a site. If your site suddenly shows a suspension notice instead of your content, contact your host immediately. They can usually tell you what triggered the suspension and what they found.

Clients or visitors reporting strange behaviour

If someone tells you your website asked them to download something, showed them a popup warning, or redirected them somewhere unexpected, take it seriously even if you cannot reproduce the issue yourself. Many hacks are designed to only show malicious content to certain visitors — those coming from search engines, those on mobile, or those in specific locations.

What usually causes it

The vast majority of website hacks targeting Canadian small businesses fall into a small number of categories.

Outdated WordPress core, themes, or plugins

WordPress powers a large share of Canadian small business websites, and it is the most common attack target for exactly that reason. Security vulnerabilities are discovered regularly in WordPress plugins and themes. When a vulnerability is found and made public, attackers immediately start scanning the web for sites that have not yet updated. A plugin you installed and forgot about can become an entry point months later if you never update it.

Weak or reused passwords

The WordPress admin login at /wp-admin is attacked constantly by automated bots trying common passwords. If your password is weak, reused from another service, or the same as it was when the site launched years ago, it is a target. The same applies to your hosting control panel and FTP credentials.

Compromised hosting environment

On shared hosting plans, many websites share the same server. If another site on the same server is compromised and the host’s isolation is poor, attackers can sometimes move laterally to other accounts. This is one of the arguments for managed hosting with stronger account isolation, though it is not the only consideration. See the managed vs shared hosting guide for more context.

Malicious file uploads

If your website has a contact form, e-commerce functionality, or any feature that allows file uploads, a misconfigured uploader can allow attackers to upload malicious PHP files that give them control of the site. This is a developer-level issue but worth knowing as a site owner.

What to do immediately

If you suspect your site has been hacked, here is the order of operations.

  1. Take the site offline if possible. A compromised site actively harms your visitors and your Google standing. If you can put a maintenance page up through your hosting panel, do so. If you cannot, at least stop promoting the URL until the issue is resolved.
  2. Change all passwords immediately. WordPress admin, hosting control panel, FTP, database — all of them. Use a password manager to generate strong unique passwords for each.
  3. Contact your hosting provider. Tell them you believe your site has been compromised and ask if they can identify what happened. Many hosts have malware scanning tools and can assist with initial investigation. Ask specifically whether they detected anything in their security logs.
  4. Do not delete files or restore over the problem yet. Your hosting provider or a security professional may need to examine the compromised files to understand how the attack happened. Cleaning up before investigation can remove evidence of the entry point, which means the same vulnerability will be exploited again.
  5. Check Google Search Console. If your site is registered in Search Console, Google will have flagged any security issues it found. This tells you what Google knows and what you will need to address before requesting a review.

Recovery and cleanup

Cleaning up a hacked site properly is not a task most business owners should attempt themselves. Incomplete cleanups are common — attackers often leave multiple backdoors, and removing one visible piece of malware while missing the entry point means the site will be reinfected within days.

Realistic options:

  • Restore from a clean backup. If you have a confirmed clean backup from before the compromise, restoring it is the most reliable approach — but you must also close whatever vulnerability allowed the hack in the first place, or it will happen again. See the website backups guide for why this depends entirely on having good backups to begin with.
  • Use a malware removal service. Services like Sucuri, Wordfence, and others offer professional malware removal. They scan the entire site, remove infections, and harden the installation against repeat attacks. Costs vary but are usually in the $200–$500 CAD range for a one-time cleanup.
  • Ask your web developer or hosting provider. Many Canadian web developers and managed hosting providers offer site recovery services, or can recommend a trusted specialist.

After cleanup, submit a review request in Google Search Console if your site was flagged. Google will re-crawl the site and remove warnings once it confirms the malicious content is gone. This process usually takes a few days.

Preventing it from happening again

The measures that would have prevented most hacks are straightforward — they just require actually doing them.

  • Keep WordPress, themes, and plugins updated. Enable automatic updates for minor WordPress releases. Review and update plugins at least monthly. Delete plugins you no longer use.
  • Use strong unique passwords for every account related to your website. A password manager makes this practical.
  • Enable two-factor authentication on your WordPress admin and hosting panel. Even if an attacker gets your password, they cannot log in without the second factor.
  • Have current, tested backups. This does not prevent a hack but transforms a catastrophe into a recoverable situation. See the backups guide for what “good backup” actually means.
  • Consider managed WordPress hosting. A good managed host handles WordPress updates, monitors for malware, and provides automatic backups as part of the service — removing the maintenance burden from you entirely.