How to know if your website has been hacked (and what to do)

43% of cyberattacks target small businesses. Most of these companies discover it too late: when a customer warns them, when Google flags them as dangerous or when their emails start landing in the spam folder. By then, the damage is already done.

At serpixel we audit dozens of websites every month and we see the same pattern over and over: small businesses with their site hacked for months, completely unaware. This article walks you through the 8 most common signs and what to do if you spot any of them.

1. Why small businesses are the favourite target of hackers

When you think of a cyberattack, you imagine a hacker going after Google or a bank. The reality is far more practical: hackers go after the easiest websites. And the easiest websites belong to small businesses.

Three reasons:

The software is not maintained. 70% of hacked WordPress sites have outdated plugins. Every month new vulnerabilities are discovered in popular plugins; hackers exploit them before owners patch them.

There is no monitoring. A small business does not have a security team watching the website 24/7. It can run for months with malicious code injected and nobody notices. The average owner only checks their site 2 or 3 times a month.

Passwords are weak. “admin / 123456” is still one of the most common combinations. Hackers try thousands of combinations per minute with automated tools. A 6-character password breaks in less than a minute.

And the consequences are disproportionate: for a multinational, an attack is an inconvenience. For a small business, it can mean closing the doors.

2. The 8 signs your website has been hacked

Sign 1: Strange results when you search for your business on Google

Search Google for your domain in quotes (for example: site:yourbusiness.com). If you see pages with Japanese titles, content about pharmaceutical products, online casinos or keywords that have nothing to do with your business, your site is hacked.

This is the most common SEO attack: hackers inject hundreds of new pages into your site with spam content, leveraging your domain to rank products they want to sell.

Sign 2: Google Search Console reports security issues

If your site is verified in Google Search Console (and it should be), this is where you will see the first warnings. In the “Security issues” section, Google notifies you if it detects:

• Malware (malicious code that infects visitors)
• Unwanted or harmful software (extensions, suspicious downloads)
• Phishing (attempts to steal data)
• Hacked content (unauthorised changes on your site)

If you see any notification in this section, act immediately. Do not wait more than 24 hours.

Sign 3: Pop-ups you did not add

If you visit your site and pop-ups, strange ads, redirects to other websites or a fake counter saying “your computer is infected” suddenly appear, the site is compromised. Hackers have injected JavaScript code that runs in visitors’ browsers.

Important: these pop-ups may only appear in certain browsers or countries. Test the website in incognito mode and from another device.

Sign 4: Unknown admin accounts

If you use WordPress, go to Users > All Users and check for any admin accounts you do not recognise. Hackers often create accounts with technical-sounding names (wpadmin, support, admin1) to keep access even if you change your password.

Also check whether any users have recent creation dates that you do not remember creating.

Sign 5: New or modified files on the server

If you have FTP access or access to your hosting file manager, look for files with strange names: wp-x.php, wso.php, marvin.php, index2.php. These are typical names for “shells” (programs hackers use to control the website).

Also check modification dates. If you see WordPress files modified recently without you running any update, that is a red flag.

Sign 6: Sudden traffic drop in Google Analytics

If your website was getting 500 monthly visits and suddenly drops to 50, Google may have penalised you. The most common cause of such a drop is hacked content or malware that triggered a Google filter.

Also check whether the drop affects only certain pages: if Google detects malware in a specific section, it can deindex only that section.

Sign 7: The browser flags your website as dangerous

Visit your site with Chrome and Firefox. If you see a red screen with messages like “Deceptive site ahead” or “This site may harm your computer”, Google has already detected the attack and blocked the site from its users.

It is the worst-case scenario: at this point, 95% of potential traffic flees without ever seeing your content.

Sign 8: Your hosting notifies suspicious activity

Serious hosts monitor their servers. If they see your account sending spam, consuming excessive resources or making suspicious connections, they send you an email warning. Always read the emails from your hosting provider; many owners ignore them thinking they are marketing.

3. What to do if you find any of these signs

If you have spotted one of the 8 signs, follow this protocol in this exact order:

Step 1: DO NOT DELETE ANYTHING. Your first instinct will be to clean everything at once, but you can destroy valuable evidence about how the attack happened. Make a complete backup before touching anything.

Step 2: Put the site in maintenance mode. If your platform allows it, show a temporary “Be right back” page. This stops visitors from getting infected while you clean the site.

Step 3: Change every single password. All of them. WordPress, FTP, hosting panel, database, corporate email if it uses the same domain. Use 16+ character passwords generated by a manager like 1Password or Bitwarden.

Step 4: Scan the site with a specialised tool.

• Sucuri SiteCheck (free): scans your site and tells you if it detects malware, blacklisting or known vulnerabilities.
• Wordfence (for WordPress): scans every file on your site looking for malicious code.
• VirusTotal (free): checks whether your domain is on security blacklists.

Step 5: Restore a backup from before the infection. If you have backups (and you should), restore one from before the problems started. First check the exact date of the infection by looking at the modified files.

Step 6: Update all software. WordPress, plugins, themes, PHP, database. If there are plugins that are no longer maintained, delete them and look for actively maintained alternatives.

Step 7: Notify Google Search Console that the issue has been resolved. In the “Security issues” section, click “Request review” once you have cleaned the site. Google reviews the request within 24 to 72 hours.

Step 8: If you cannot fix it yourself, hire a professional. Companies like Sucuri, Wordfence or cybersecurity consultants can do a professional cleanup for between 200 and 500 EUR. It is worth it: a hacked website can lose thousands of euros in customers for every day it stays infected.

4. How to prevent it in the future

Recovering a hacked website is expensive and stressful. Preventing it is cheap and easy. These are the 5 basic measures:

1. Automatic updates. Enable automatic updates for WordPress core, plugins and themes. If you use another CMS, set weekly reminders to update manually.

2. Strong passwords and two-factor authentication (2FA). Never use “admin” or “123456”. Enable 2FA wherever possible (Google Authenticator, Authy).

3. Automatic and external backups. Backups must be daily and stored outside the server (Google Drive, Dropbox, AWS S3). A backup on the same server is useless if the server is compromised.

4. Server-level or application-level firewall. Cloudflare, Sucuri or Wordfence offer firewalls that block known attacks before they reach your site. Their free versions are already useful.

5. Reduce the attack surface. Every plugin you add is a potential entry point. Delete plugins you do not use. Delete themes you are not using. Less code = fewer vulnerabilities.

5. Why serpixel websites are immune to most attacks

At serpixel we do not use WordPress. Our websites are built with Astro, a framework that generates static HTML at build time.

What does this mean for security?

No database. No SQL queries, no possible injection, no login to a database.

No PHP. The server does not execute any code when someone visits the site. It only sends pre-generated HTML files. No execution = no execution vulnerabilities.

No vulnerable third-party plugins. Every feature is built as our own code, reviewed and audited. We do not depend on hundreds of small plugins built by anonymous developers.

No public admin panel. In WordPress, anyone can try to log in at yourdomain.com/wp-admin. In Astro there is no admin panel: the website is generated from the code repository and published via Git. To attack the site, a hacker would have to compromise our GitHub repository and the Vercel deployment process.

CDN with built-in DDoS protection. Vercel includes denial-of-service protection, automatic blocking of malicious bots and constant monitoring.

The result: in over 12 months running on Astro, 0 successful attacks on the websites we manage. That is not luck, it is architecture.

What we do every month to protect our clients

At serpixel, as part of the integrated maintenance, every month we:

1. Update every dependency on each website and check for new vulnerabilities at npm advisories
2. Monitor Vercel logs to detect suspicious behaviour
3. Verify the website is not on blacklists using Sucuri SiteCheck
4. Check that Google Search Console shows no security issues
5. Run automatic backups through Git (every change is recorded)

Everything included in the monthly growth plan. No extra services, no additional paid plugins.

Want to know if your current website has security issues? Request a free audit and we will run a full scan in less than 24 hours. We will send you a report with the issues detected and how to fix them.