Discovering that your website has been compromised is one of the more unsettling experiences a business owner can have. Your site represents your brand, your credibility, and in many cases a significant portion of your revenue pipeline. The idea that someone — or more likely, something automated — has gained unauthorised access and is using it for their own purposes is genuinely alarming.
The harder truth is that most Australian business owners don't discover a hack quickly. Unlike a break-in at a physical premises, website compromises are often designed to be invisible to the site owner while being very visible to visitors, search engines, and anyone else the attacker wants to target. A hacked site might look completely normal to you while redirecting mobile visitors to a pharmacy spam site, serving malware to first-time visitors, or sending thousands of spam emails from your hosting account.
This guide covers the five most common and recognisable signs that a website has been compromised, explains what's likely happening technically in each case, and walks through the recovery process in practical terms. If you're reading this because something already seems wrong with your site, start with the diagnostic checklist below before working through the recovery steps.
If you suspect your site has been hacked right now, run through these checks before anything else. They take less than ten minutes and will tell you quickly whether you have a confirmed problem or a suspected one.
Google your site's name and URL and look at the search result description beneath your listing. If it contains text in foreign languages, pharmaceutical product names, gambling terms, or content completely unrelated to your business, your site's metadata has almost certainly been compromised.
Visit your site from a different device — ideally a mobile phone on a mobile data connection rather than your usual computer on your usual network. Attackers frequently configure compromises to show normal content to known visitors and administrators while redirecting new visitors and mobile users to malicious destinations.
Run your URL through Google's Safe Browsing checker at transparencyreport.google.com. This tells you whether Google has flagged your site as dangerous for visitors.
Check your site against Sucuri's free SiteCheck tool at sitecheck.sucuri.net. This scans your site's publicly visible code for known malware signatures and checks it against major blacklists.
Log into your hosting control panel and look at your recent email sending logs if accessible. Unexpected large volumes of outgoing email are a strong indicator of compromise.
If any of these checks return concerning results, you have a confirmed compromise and should move directly to the recovery section of this guide. If nothing obvious surfaces but you're still concerned, continue reading — some hacks are specifically designed to evade these surface checks.
One of the most common and disruptive forms of website compromise involves code injected into your site that redirects visitors to a completely different destination. The attacker's goal is typically to drive traffic to their own properties — spam sites, phishing pages, fake pharmaceutical stores, gambling platforms, or pages serving malware downloads — using your site's traffic and your hosting infrastructure.
The reason this sign is so frequently missed by site owners is that attackers are sophisticated about who they redirect. The injected code often checks several conditions before deciding whether to show your real site or redirect the visitor. Requests from your own IP address, from users who have recently visited the site, or from desktop browsers are commonly shown the legitimate site. First-time visitors, mobile users, visitors arriving from search engines, and users in specific geographic regions are redirected.
This means you can visit your own site dozens of times and see nothing wrong while your customers are being sent elsewhere every time they click your Google listing.
How to check for this specifically: use a VPN service to change your apparent IP address and geographic location, then visit your site as if for the first time. Visit it from your phone on mobile data without WiFi. Ask someone in a different city or country to click your Google search result and tell you where it takes them. Use Google Search Console's URL inspection tool to see how Googlebot renders your pages — if the content Googlebot sees differs significantly from what you see in a browser, cloaking is almost certainly occurring.
What's happening technically: the redirect code is typically injected into your site's PHP files, your database, or your .htaccess file. WordPress sites frequently find malicious code inserted into functions.php, wp-config.php, or the core index.php file. The code checks visitor characteristics and either serves normal content or outputs a redirect header before any visible content loads.
When Google's crawler visits your site, it reads your page content and uses it to build the search result listing — the title, URL, and description snippet shown to searchers. If your site has been compromised with content injection, Google may be reading and indexing content that is completely invisible to you when you view the site in a browser.
This manifests in search results in a few distinctive ways. Your site's description snippet might contain keywords related to pharmaceuticals, adult content, gambling, or counterfeit goods. Clicking on your own search result might produce a redirect to one of these destinations. Searching Google for your domain name followed by terms like "casino," "viagra," or "cheap" might reveal indexed pages on your site that you never created — pages Google has found and indexed that exist in your site's file system but are not linked from anywhere in your normal navigation.
This type of attack, known as SEO spam or search engine cloaking, is particularly damaging because it affects your Google reputation and rankings directly. Google may demote or eventually remove your site from search results if it detects that cloaked content is being served. Recovering your ranking after a significant SEO spam compromise can take months even after the malware is fully removed.
How to check for this specifically: open Google and search for site:yourdomain.com.au — this shows all pages Google has indexed on your site. Look for any URLs you don't recognise. Also try searching your domain name in Google and looking carefully at the description text of your listing. If it doesn't reflect your actual site content, something is wrong.
Check Google Search Console if you have it configured — the Coverage report will show any URLs Google has flagged as problematic, and the Security Issues report will show any malware or hacking flags Google has raised against your property.
When Google's Safe Browsing system, or a browser's built-in protection, detects that a site is serving malware, hosting phishing pages, or engaging in deceptive practices, it begins displaying warnings to visitors before they can access the site. In Chrome, this appears as a full-screen red warning page reading "Deceptive site ahead" or "This site may harm your computer." Firefox and Safari display similar warnings.
For a business website, this is about as damaging as a sign on your shop door telling customers to leave. A visitor who encounters this warning will almost universally turn back — and they'll carry an association between your brand and danger that a clean bill of health from Google later will not fully erase.
Being placed on Google's Safe Browsing blacklist, or on similar lists maintained by security organisations like Spamhaus or MX Toolbox, also affects email deliverability. If your domain or hosting IP is blacklisted, emails sent from your business address may be filtered directly into recipients' spam folders or rejected entirely — affecting not just marketing emails but ordinary business correspondence.
How to check for this specifically: visit transparencyreport.google.com/safe-browsing/search and enter your URL. Also check mxtoolbox.com/blacklists.aspx for email blacklist status. If you have Google Search Console configured, Google will send a notification to your registered email address when it detects a security issue — this is one of the most valuable reasons to have Search Console configured for every business website.
This sign is the most urgent of the five because it has an immediate, visible impact on every visitor. If your site is displaying browser warnings, recovery and Google's review and reconsideration process should begin within hours, not days.
Attackers who gain access to a website typically want to maintain that access even if their initial entry point is discovered and closed. They do this by creating backdoors — hidden mechanisms that allow them to re-enter the site after you've changed passwords and patched the vulnerability they originally exploited.
Backdoors take several forms. New administrator accounts appearing in your WordPress user list that you didn't create. PHP files in unexpected locations — in your uploads directory, in theme folders, or in the site root — containing obfuscated code. Modifications to existing core files that add small snippets of malicious code while leaving the rest of the file intact enough to function normally.
Unexpected email activity is another symptom of compromise that site owners frequently discover from external sources rather than internal monitoring. Your hosting provider may contact you to say your account is sending unusual volumes of email. Contacts may start mentioning they're receiving spam from your email address. Your email domain's reputation score on tools like Google Postmaster or MX Toolbox may deteriorate.
Some attackers use compromised hosting accounts purely as email spam infrastructure — your site itself continues to function normally while your server quietly sends millions of spam messages. This doesn't just harm recipients. It burns your domain's email reputation and can result in your business email being blocked or filtered across the internet, a problem that can persist long after the compromise is resolved.
How to check for this specifically: in WordPress, review Users and look for any administrator accounts you don't recognise. Use a plugin like Wordfence or run a Sucuri scan to check for modified core files and unknown PHP files. In your hosting control panel, check email sending logs and look for unusual outgoing volume. Check whether your hosting provider has suspended or flagged your account — this is sometimes how business owners first learn there's a problem.
A sudden, unexplained deterioration in your website's performance — pages loading significantly more slowly, the hosting control panel showing high CPU or memory usage, or your hosting provider warning you about resource limits being exceeded — can indicate that your server is being used for purposes other than serving your website.
Compromised hosting accounts are frequently used for cryptocurrency mining, running distributed attack scripts, storing and distributing pirated content, hosting phishing kits targeting other organisations, or processing large volumes of spam. All of these activities consume server resources that come at the expense of your site's performance and, if you're on a resource-limited plan, potentially trigger overage charges or account suspension.
This sign is the most ambiguous of the five because slow performance and high resource usage have many innocent explanations — a traffic spike, a poorly optimised plugin, a database query gone wrong. The key indicators that performance issues might be security-related are that the slowdown appeared suddenly without any corresponding change to the site, that it persists even during periods of low legitimate traffic, and that your hosting provider's resource usage graphs show consistent elevated consumption rather than the spikes you'd expect from traffic events.
How to check for this specifically: log into your hosting control panel and look at resource usage graphs over the past week or month. Compare current usage with the baseline from when you know the site was clean. Check your access logs for unusual patterns — large numbers of requests to non-existent pages, requests to PHP files in your uploads directory, or high volumes of POST requests can all indicate malicious activity. If your hosting provider offers any server-level monitoring or has a security scanning tool in the control panel, run it.
Discovering a confirmed compromise is stressful. The steps below are ordered to minimise further damage while working toward a full recovery. Do not skip steps or change their order — particularly the backup and documentation steps, which feel less urgent but matter significantly for the recovery process.
The worst response to discovering a hack is either panicking and making hasty changes that complicate recovery, or delaying action because the situation feels overwhelming. Move methodically and quickly.
If your site has an active e-commerce function that may be exposing customer payment data, contact your payment gateway provider immediately and inform your hosting provider of the compromise. Depending on the nature of the breach, Australian Privacy Act obligations may require you to notify affected individuals and the Office of the Australian Information Commissioner — this is worth getting legal advice on quickly if customer data is potentially involved.
While it feels counterintuitive to take your own site down, leaving a confirmed-compromised site live means continuing to expose your visitors to whatever the attackers have put in place — malware, phishing pages, redirects. Most hosting providers allow you to display a maintenance page while you work on the site behind the scenes. This protects your visitors and prevents further SEO damage from Google continuing to crawl compromised pages.
Before cleaning anything, take screenshots and notes of what you've found. Log the URLs of any suspicious pages Google has indexed. Note any unfamiliar admin accounts, file names, or code snippets you've discovered. This documentation is useful for understanding the scope of the compromise, for your hosting provider, for any insurance claim, and potentially for a report to the Australian Cyber Security Centre.
Change every password associated with the site immediately — WordPress administrator accounts, hosting control panel, FTP or SFTP access, database passwords, and any connected third-party service credentials. Do this from a device you trust on a network you trust, and use a password manager to generate genuinely strong unique passwords for each account. Enable two-factor authentication on every account that supports it.
If you've found unfamiliar administrator accounts, delete them — but only after you've secured your own access, and after documenting what you found.
If you have a backup from before the compromise occurred, restoring from it is often the cleanest path to recovery. This removes all the attacker's changes at once rather than requiring you to find and remove every individual modification.
The challenge is identifying when the compromise occurred. An attack discovered today may have begun weeks or months ago. Simply restoring last night's backup may restore a version of the site that was already compromised. If you have access to backup history going back several weeks, look for anomalies — the Google indexing of strange content, the date resource usage increased, the time a suspicious file was modified — to identify a restore point that predates the compromise.
After restoring, update everything — WordPress core, all themes, all plugins — immediately, and investigate the vulnerability that allowed the initial compromise before bringing the site back online.
If a clean backup isn't available, manual cleaning is more labour-intensive but achievable. Start by downloading the current site files to a local environment where you can examine them safely.
For WordPress sites, replace the core WordPress files by downloading a fresh copy of the same WordPress version from wordpress.org and overwriting the existing core files — everything except your wp-content folder and wp-config.php. This removes any malware injected into core files.
Check your active theme files, particularly functions.php, for injected code. Malicious code in theme files is often obfuscated — encoded in base64 and wrapped in eval() statements — which makes it visually distinctive even if you can't read the code. If you can compare your theme files against the original versions from the theme developer, look for anything added that shouldn't be there.
Scan the wp-content/uploads directory for PHP files. No PHP files should exist in your uploads folder under normal circumstances. Any you find should be removed.
Use a reputable security plugin — Wordfence, Sucuri Security, or MalCare — to run a full file scan. These tools compare your site's files against known clean versions and flag any modifications or additions that match known malware signatures.
Clean your database using tools like phpMyAdmin to check for injected JavaScript, suspicious links, or base64-encoded content in your posts, options table, or user records. Attackers frequently inject content into the WordPress options table — specifically the siteurl, home, and widget settings — as well as into post content and custom fields.
Cleaning the site without addressing how the attacker got in leaves you vulnerable to immediate recompromise. Common entry points for Australian WordPress sites include outdated plugins with known security vulnerabilities, weak or reused administrator passwords, poorly secured FTP credentials, compromised themes from untrustworthy sources, and shared hosting environments where another site on the same server was compromised first.
Update everything that has an available update. Remove any plugins or themes you're not actively using. Review your file permissions — WordPress files should be 644 and directories 755 in most configurations. If you're on shared hosting and suspect the compromise came from a neighbouring site, contact your hosting provider and consider moving to managed hosting with better account isolation.
Install a web application firewall if one is not already in place. Wordfence's free tier provides effective firewall protection for WordPress sites. Cloudflare's free plan provides an additional network-level layer of protection.
Once the site is clean, updated, and protected, submit a reconsideration request through Google Search Console if your site received a manual security action, and use the URL inspection tool to request indexing of your key pages. If your site was placed on the Safe Browsing blacklist, Google will re-review it once you've submitted a request confirming the issues have been resolved. This process typically takes a few days to a couple of weeks.
Check your blacklist status on MX Toolbox and submit removal requests to any email blacklists your domain appears on. Most have a removal request form and process requests within a few days once the underlying issue is confirmed resolved.
The week after recovery is a critical monitoring period. Keep a security plugin's monitoring active and check its alerts daily. Watch your Google Search Console for any new security flags. Monitor your server resource usage for any return to abnormal levels. Set up uptime monitoring if you don't have it — UptimeRobot's free tier monitors every five minutes and sends immediate alerts.
Consider engaging a professional security service for a post-recovery audit if the compromise was significant, if customer data may have been exposed, or if you don't have confidence that the cleaning was complete. The cost of professional remediation is considerably less than the cost of a second compromise.
Recovery from a hack is an opportunity to put in place the practices that prevent recurrence. Keep every component of your site updated on a regular schedule. Use a password manager and enforce strong unique credentials for every account with site access. Implement two-factor authentication on WordPress and your hosting control panel. Maintain backups that are stored offsite and tested periodically. Install a web application firewall. Monitor your site's security status through a tool like Wordfence or Sucuri on an ongoing basis.
If the time and technical complexity of doing this consistently feels like more than you can reliably commit to, a professional website maintenance plan from a reputable Australian provider is worth serious consideration. The monthly cost is modest compared to the time, stress, and potential business damage of a significant compromise — particularly one that isn't discovered quickly.
Most hacks succeed because of neglect rather than sophistication. A site that's kept current, monitored actively, and protected by a firewall is a significantly harder target than one left to run unattended — and in an environment of automated, opportunistic attacks, being a harder target than the next site is often sufficient protection.
Care: 085792142880 
