Common problem

Something is wrong with your site security

These problems are not one problem. A certificate warning is an afternoon of work. An actively compromised site is urgent and the steps are different. Start by working out which one you have.

First question: is your site actively compromised, or is it showing a warning? These get treated as the same emergency and they are not.

A browser saying Not Secure means the connection is not encrypted or the certificate is missing, expired, or mismatched. Unpleasant, visible to every customer, and usually straightforward to fix. It does not mean anyone got in.

Injected spam links, unexplained redirects, pages you did not write, or a Google warning shown to visitors mean something got in. That is urgent, the steps below are different, and restoring a backup without finding the entry point simply resets the clock until it happens again.

What each warning actually means

The wording is precise and it is worth knowing what it is telling you, because people read all of these as hacked and most of them are not.

Not Secure

No encryption on this connection, or no valid certificate. Anything typed into a form on that page travels readable across the network. Nobody has necessarily attacked you. You just do not have a certificate installed, or the one you have is not doing its job.

Your connection is not private, or NET::ERR_CERT_...

A certificate exists but the browser will not accept it. Almost always one of three things: it expired and the renewal did not run, it was issued for a different name (the classic being www.yourdomain.com when the visitor came to yourdomain.com), or it is self signed. Read the detail text in the warning; it names which of these it is.

Mixed content, or a padlock that will not appear

The page loads securely but pulls in at least one file over plain HTTP. Browsers either block it or drop the padlock. A single old image URL hardcoded years ago is enough. The browser console lists exactly what it is.

This site may be hacked, or Deceptive site ahead

This one is serious. Google is telling searchers or visitors that something is wrong, and it costs you traffic immediately. Search Console reports the detail under Security Issues, including what was found and where. Do not guess at this one; read the report.

Spam links or content you did not write

Injected content, often hidden from you and shown only to search engines or to visitors arriving from search. A telltale is searching site:yourdomain.com and finding pages about products you have never sold. This is a compromise, not a glitch.

Unexplained redirects

Visitors, often only mobile visitors, land somewhere else entirely. Frequently invisible when you test it yourself, because the injected code deliberately skips anyone who looks like the site owner.

The likely causes, ranked

Roughly in order of how often each one turns out to be the real story on a small business site.

  • A missing, expired or mismatched certificate. The most common by far, and the least dangerous. Renewal did not run, or the domain moved and nobody reissued.
  • Mixed content after a move to HTTPS. The certificate went on, the old http:// asset links stayed.
  • Outdated plugins, themes or content management system versions. The number one route in for an actual compromise. Public vulnerability, no patch applied, automated scanner finds it.
  • Weak, reused or shared logins. One password shared across the team, still working for someone who left, and reused on a site that got breached. Admin accounts with no second factor.
  • No backups, or backups nobody has tested. Not a cause of a breach, but it decides whether a breach is an afternoon or a catastrophe.
  • Abandoned software still installed. An old forum, a staging copy, a plugin deactivated but never deleted. Deactivated code on the server is still code on the server.
  • Credentials in the wrong places. Passwords in email threads, keys committed to a repository, a hosting login on a shared spreadsheet.
  • A domain anyone can send mail as. Not a website compromise, but the same family of problem: with no DMARC policy published, nothing stops someone sending invoices in your name. See business email going to spam, which covers the same three records from the delivery side.

If your site is actively compromised, do this in this order

  1. Contain it

    Take the site into maintenance mode or offline. It is currently harming visitors and your reputation with every load. A down site is better than a site distributing malware.

  2. Preserve the evidence before cleaning

    Copy the current files and database somewhere safe first. Deleting the malicious code destroys the only record of how they got in, and the entry point is the whole problem.

  3. Change every credential from a device you trust

    Content management system, hosting, database, FTP, DNS, registrar, and any email account tied to them. If a machine may be infected, do not type new passwords into it.

  4. Find the entry point

    Which plugin, which version, which account. Restoring a clean backup without answering this means you get compromised again through the same open door, usually within days.

  5. Clean or rebuild

    Restore a backup from before the compromise if you have a dated one you trust, then patch immediately. Where the software is unsupported, a rebuild is often faster and safer than cleaning code you cannot verify.

  6. Close the hole and then ask for a review

    Patch, remove abandoned software, add a second factor on every admin login. Once it is genuinely clean, request a review in Search Console so the browser warning is lifted.

  7. Watch it for weeks afterwards

    Reinfection is common, because the second visit uses the backdoor left on the first. Monitoring is not optional after a compromise.

What to check yourself, whatever your situation

  • Look at the address bar on a page you did not open from a bookmark. Padlock or warning, and read the exact wording. The wording tells you which problem you have.
  • Check the certificate expiry date. Click the padlock and read it. Certificates that renew automatically still fail quietly when a domain moves.
  • Try both www and the bare domain, on http and https. All four should end up at one secure address. If one throws a warning, the certificate or the redirects are incomplete.
  • Search site:yourdomain.com. Look for pages you did not write. Injected spam pages show up here before anywhere else. Related reading: what a site: search tells you.
  • Check Search Console Security Issues. If Google has found something, it is reported here in plain terms. This is also how you request a review after cleaning.
  • List every account with admin access. Including former staff, former developers, and that agency from four years ago. Remove what should not be there.
  • Check whether your software is still supported. Unsupported means known holes stay open forever. This often overlaps with an outdated site.
  • Find your last backup and prove it restores. An untested backup is a hope. Test it before you need it.

When to bring in help

Some of this is genuinely yours to do. A certificate that needs renewing, an admin account that should have been removed, a plugin that needs updating: all reasonable to handle yourself. Bring someone in when:

  • The site is actively compromised. This one we would not do alone if it were our business. The cleaning is the easy part; finding the entry point and proving it is closed is not.
  • Google is showing a warning to your visitors. Every hour of that is costing you, and the review process rewards doing it right the first time.
  • The certificate looks correct and the warning persists. That usually means DNS, redirects or proxy configuration, which is Cloudflare management work.
  • You are on unsupported software and cannot update without breaking the site. That is a real fork in the road and it needs a plan, not a patch.
  • You have no backups and no monitoring. That is what website security and maintenance are for, and it is worth far more before an incident than after.

Who this is for

  • Owners seeing a Not Secure warning and unsure how bad it is
  • Businesses whose site has been hacked, defaced, or is redirecting visitors
  • Anyone with spam pages appearing under their domain in search
  • Sites running plugins and themes nobody has updated in years
  • Businesses with shared admin logins and no idea who still has access

When this is not the right fit

  • Anyone wanting an assurance that a site can never be compromised. Nobody can honestly offer that, and hardening reduces risk rather than removing it.
  • Sites already on HTTPS, on supported software, with tested backups and no warnings. Nothing is wrong. Keep it that way.
  • Businesses looking for a scanner subscription instead of fixing the unsupported software underneath. The scanner will just keep telling you the same thing.

What SolvenceHQ can help with

We tell you first whether this is urgent, because most people cannot tell and the difference decides everything. A certificate warning and a live compromise get very different responses.

  • Certificates, HTTPS and the redirects that make one canonical secure address
  • Track down mixed content so the padlock actually appears
  • Compromise response: contain, find the entry point, clean, and close it
  • Removing abandoned software, stale admin accounts and shared logins
  • Second factor on the accounts that matter, and credentials out of email threads
  • Backups you control and monitoring through maintenance, plus hardening against the common attacks

Common questions

What does Not Secure in the address bar actually mean?

It means the connection between the visitor and your site is not encrypted, or the certificate proving your identity is missing, expired, or does not match the address being visited. It does not mean your site is hacked, and it does not mean it has a virus. It means anything typed into that page travels in the open.

Browsers show it prominently because it is genuinely worth knowing. To your customer it reads as a warning about your business, which is why this is worth fixing on day one rather than day thirty.

My certificate is installed but the padlock still does not show. Why?

Usually mixed content: the page itself loads over HTTPS but something on it, an image, a script, a stylesheet, still loads over plain HTTP. One insecure image is enough to break the padlock on an otherwise correct page. Your browser console will name the offending file.

The other common causes are a certificate issued for www but not the bare domain, or a certificate that expired and did not renew. Certificate and DNS configuration is covered under Cloudflare management.

I think my site has been hacked. What do I do first?

Treat it as urgent, and do not start by deleting things. Take the site offline or into maintenance mode so it stops harming visitors, change every password from a device you trust, and preserve a copy of the current state before you clean anything. That copy is how anyone works out how they got in.

Restoring a backup without finding the entry point just means being hacked again next week through the same hole. The order matters: contain, understand, clean, then close the door.

Why would anyone attack a small business site?

Because nobody chose you. The overwhelming majority of small site compromises are automated: scanners crawl the web looking for known vulnerable software versions and try the hole on everything they find. It is not personal, which is precisely why running unsupported software is such a bad bet. You do not have to be a target to be a victim.

Do I really need backups if my host says they have them?

Ask two questions: how far back do they go, and have you ever restored one? Host backups are often kept for a short window, and a compromise discovered a month later may already be baked into every copy. A backup you have never tested is a hope, not a plan. Backups you control, kept somewhere other than the server they protect, are part of maintenance for a reason.

Get a Quote

Not sure how serious this is?

Tell us what you are seeing, including the exact wording of any warning. We will tell you whether it is urgent and what it will take.