The owner of a local HVAC company (let’s call him Steve) called my office recently. He wanted me to have our team review his website and make some recommendations for how he might convert more website visitors into leads.

As I hung up the phone, I realized that Steve hadn’t given me his website address, so I searched his company name online and clicked on what was clearly his company’s website. But, as Steve’s website loaded, I realized something was very wrong. The site loading on my oversized computer screen was not for an HVAC company, and it definitely wasn’t safe for work!

I called Steve back and said, “Hey, have you visited your website lately? Forget leads — you’ve got a more immediate problem that needs solving.” I explained to him what I did and what came up on his website. Skeptical, Steve typed in his website address directly into his browser. Anxiously, I waited for his horrified response. Much to my surprise, that response never came. To Steve, the site looked absolutely normal.


It turns out that Steve’s website had been hacked. What the hackers did was pretty clever. They injected a malicious script, basically some code, into Steve’s webserver. Once the script is there, the site looks fine if a visitor accesses the site directly by typing the address into his or her browser; however, if an individual searches for the site and clicks on the link from the search engine results page, the address leads to a soft porn site.

Hackers do things like this because they know 70-80 percent of a company’s website traffic comes from Google, but company employees probably visit their website by typing the address directly in the website browser. By inserting a “sneaky” redirect that only routes visitors to the site referred by Google, the hackers can siphon off the majority of a company’s website traffic while employees remain blissfully unaware a problem exists.


Hacking is something that happens to companies as big as Home Depot and Target and as small as the mom and pop shop down the street. Every week, my office receives at least a half dozen calls from small, local business owners in desperate need of a hacked website cleanup, and the volume of these calls appears to be increasing.

E-commerce websites are certainly a major target for hackers because some of them store personal financial data, but the threat to most small-business, non-e-commerce websites comes in the form of robots and programs built by hackers to search and take advantage of security loopholes. If a site has vulnerabilities, these bots will find them.


Some may be saying, “What’s the big deal? The company doesn’t operate as an e-commerce website. So there are some scantily clad women on the website. Some people might call that an improvement.” Trust me when I say that dealing with a hacked website can be very costly no matter what type of website we’re talking about.

At a minimum, a hacked site can damage a business’s reputation. Even if the owner’s not offended by some women in the buff or redirects from the site to an adult entertainment website, more than a few customers will be. And, it’s not always scantily clad women that appear on hacked sites.


Over the last two to three years, Google has taken major steps to protect its users from clicking on hacked sites. Perhaps you’ve even seen Google’s warning messages, such as, “This site may harm your computer,” when browsing a search results page. People will rarely click on sites with that notification? This warning alone is enough to lose sales — permanently.

Beyond warning consumers, Google may also potentially penalize a hacked site by effectively removing it from its search results pages until action is taken. If a website utilizes Google Search Console, a web manager may receive a message like the one shown to the left.

Of course, if a company’s website is not ranking on Google for keywords relevant to its business, the business, without question, is losing leads and sales. Considering that Google’s organic search is responsible for more than half the traffic most HVAC contractor websites gain, having a site banned from Google is a major issue.

It’s hard to believe the number of business owners who invest thousands of dollars on search engine optimization (SEO) in order to improve their sites’ first-page rankings but then have to remove their sites from Google because they were pennywise and pound foolish regarding their website hosting and website maintenance procedures. Don’t be one of them.


In addition to the leads and sales a company’s losing while the hacked site has been penalized by Google, management is also going to lose money paying a website developer to diagnose and fix the problem. Sometimes the fix is simple, but, other times, years of neglect lead to complex and costly fixes. Sometimes things are so serious we recommend the website be completely rebuilt.

Like most things, an ounce of prevention is worth a pound of cure. The first step to prevent a website from being hacked is to select a reputable website hosting company. I know some web marketing companies host their clients’ sites from an old computer in the garage. A company’s website isn’t a hobby; it’s a growth engine. Treat it that way.

Also, use strong passwords. One of the reasons so many small business websites get hacked is because the business owner, its marketing gal, or web development company uses passwords like, “admin123” or “soccer” or “password.”

When it comes to creating passwords for a website hosting account and the website’s content management system (and the MySQL database related to the CMS), do not use the same passwords that are used for every other site, and use passwords that are at least eight characters and that include upper/lowercase letters, numbers, and symbols.

Finally, keep the website’s content management system (e.g., WordPress, Joomla, etc.) up to date. Most content management systems (CMS) use plugins. From time to time, plugins are updated — mostly to patch an identified security update. When plugins update, a facilitator must update the site. A good Web marketing firm can do this via some type of webmaster services agreement or as part of the hosting package.


Most HVAC contractors spend as little time thinking about their websites as possible. That’s understandable. Owners have businesses to run, equipment to install and repair, and customer and employee issues to deal with. The last thing on upper management’s mind is monitoring a website to see whether or not it’s been hacked.

But, hacked websites aren’t a problem limited to big companies or fancy e-commerce websites. Small business websites get hacked all the time. Some owners have no idea it has happened to them until they get a seemingly bizarre call from a prospect, customer, or vendor telling them the bad news.

The company’s website is one of its most valuable assets. Not taking some minimal steps to secure it is like leaving the front door unlocked. Even in the safest parts of town, in my opinion, that’s not a good idea.

Publication date: 7/4/2016

Want more HVAC industry news and information? Join The NEWS on Facebook, Twitter, and LinkedIn today!