Small and mid-sized businesses accounted for over 70% of data breaches in 2025. The reason isn't that attackers have a grudge against small businesses — it's that smaller businesses tend to have weaker defences and fewer people watching. Automated scripts don't care how many employees you have. They're scanning for vulnerabilities at scale, around the clock.
If you run a website, this affects you. Here's how to spot a problem — and what to do when you find one.
Warning signs your website may be compromised
1. Your site is redirecting visitors to somewhere else
One of the most common forms of website attack is a redirect hack — malicious code quietly sends your visitors to a spammy or dangerous site. You might not notice it yourself because attackers often only redirect mobile users, or only first-time visitors. Ask someone on a phone to visit your site and see what happens.
2. Google is flagging your site
Search your business name in Google and look for a warning underneath the result: "This site may harm your computer" or "This site may be hacked." Google's Safe Browsing system catches a lot of compromised sites. You can also check directly at transparencyreport.google.com/safe-browsing.
3. New admin accounts have appeared
Log into your website's admin panel and check the user list. If there are accounts you don't recognise — especially admin-level accounts — that's a serious sign of compromise. Delete them immediately and change all passwords.
4. Your site is slow or showing errors
Malicious code running on your server consumes resources. If your site has suddenly slowed down with no obvious explanation, it's worth investigating. Similarly, unexpected error messages or broken pages can indicate that something in the code has been altered.
5. Your hosting provider has flagged you
Good hosting providers monitor for malware on their servers. If you've received an email saying your account has been suspended or flagged for suspicious activity, take it seriously and investigate immediately.
The most dangerous hacks are the invisible ones. If an attacker is using your site to send spam email, mine cryptocurrency, or store illegal files — they want you to stay unaware for as long as possible. Regular monitoring matters.
What to do if you think your site has been compromised
- Take the site offline immediately if you can — this stops the bleeding and protects your visitors.
- Change all passwords — your hosting account, CMS admin, FTP, database, everything.
- Scan for malware — tools like Sucuri SiteCheck or Wordfence (for WordPress) can help identify what's been injected.
- Restore from a clean backup — if you have a recent backup from before the compromise, this is often the fastest path to recovery.
- Update everything — outdated themes, plugins, and CMS versions are the most common entry points. Update immediately after cleaning.
- Submit for Google review — once you've cleaned the site, use Google Search Console to request a malware review so the warning gets lifted.
How to prevent it in the first place
Prevention is simpler than recovery. The basics that block most attacks:
- Keep your CMS, themes, and plugins updated — always
- Use strong, unique passwords and enable two-factor authentication on your admin account
- Take regular backups and store them somewhere separate from your site
- Use a web application firewall (Cloudflare's free tier is a solid start)
- Remove any plugins, themes, or user accounts you no longer use
We're building out a website security audit service — a systematic review of your site's vulnerabilities before someone else finds them. If you're interested in being among the first to know when it launches, get in touch.
Not sure if your site is secure? We can take a look. Book a free call and tell us about your current setup — we'll give you honest feedback on where the risks are.
Book a free call →