Hidden betting or pharmacy links on your site? You may have been hacked
While checking a beauty spa's website, we found its homepage code stuffed with Turkish betting-site keywords — invisible to the owner, plain as day to Google. The owner had no idea; nothing looked different in a browser.
This is what a quiet hack usually looks like on small sites: not a defaced homepage, but hidden links and keywords injected for someone else's SEO.
Why it costs you customers
Google can flag or demote hacked sites — some get a 'This site may be hacked' label in results, which is close to a closed sign.
The injected links change what your site appears to be about, poisoning your own rankings.
It rarely fixes itself: the same hole that let the spam in stays open.
Check it in 30 seconds
View your page source and search for words you'd never publish: casino, viagra, bet, bonus. Also search Google for site:yourdomain.com.au and scan for pages you don't recognise.
Our free health check scans your homepage for known spam markers automatically.
How to fix it
Change your hosting, CMS and FTP passwords first. Then check for unfamiliar admin users and delete them.
On WordPress: update core, theme and every plugin; remove plugins you don't use; run a scanner like Wordfence. If the site is old and unmaintained, restoring from a clean backup then updating everything is often faster than hunting the infection.
In Google Search Console, use Security Issues → request a review once you're clean, so any penalty is lifted rather than left to expire.
That is a reasonable reaction — cleanup is fiddly. Any competent web person can do it in a few hours; make sure they also close the hole (updates, strong passwords), not just delete the spam.
The most common way small Australian sites get hacked is not clever attackers — it is a WordPress plugin that has not been updated since the site was built. If nobody has logged into your site admin for a year, treat updates as overdue maintenance, like a fire-extinguisher check.