First off, most web designers would not admit they've been hacked, but they have. Maybe it was back when they were starting out, or maybe it was last week. Maybe it wasn't even a website but an email account. It just happens. I don't know why or how (exactly), but it has happened to anyone who uses scripts like Wordpress and shared servers to build websites, and that's most of us. Now that I've moved to a professional host for clients, only a few of my older websites are targets for hackers. Hacked websites are a frustration, but it's the ones you don't know about that are an even bigger disaster.
The website looks fine and seems to work fine. No one has complained. Maybe the Google rankings have dropped, but you're not searching for your own website, so you don't notice that, either. It's the perfect hacker crime, and you go right along sending people to the website from your Facebook page or email newsletters. Eventually, your hosting provider will send you an email threatening to close your account if you don't fix whatever you're doing (and you will be blamed). I don't know how often it happens like this, but I just found a website that fits this description perfectly. A Lutheran website with a lot of updates and important information that was hacked, still sitting there and still being linked to.
I found the website when I was searching for a school that was interested in interviewing my wife. I kind of wondered why Google results only showed the church page and not the school page. If it had shown the school page, there likely would have been the little Google warning next to the search results saying, "This site might be hacked." The fact that the result is no longer even showing up in Google tells me it's been hacked for some time. The problem is that the church website links right out to it and tells current and potential parents to go there for more information.
On my old laptop in the basement, this was not a problem, maybe because I'm running it on Ubuntu instead of Windows. My main computer, however, went nuts when I navigated to the page, as you can see in the video below. This wasn't a normal hack that just adds weird links to the website to try to make money on affiliate ads. This one wanted to do something to my computer, and my AVG starting dinging at me to get out of there.
When I looked at the source code, I could see what looked like a hack (I've seen the code enough times). But I also knew it was an older website, so I figured maybe it was just some old Flash code that was confusing my anti-virus. Eventually, I remembered to use Sucuri, a free tool that tests websites for hacks. I found that the problem was malware on the website. This means that those navigating to the website are possibly in danger of having their computers compromised. If it's been hacked for a while, I'm surprised no one had told the school about it, but not everyone has browser shields installed. Or they ignored the warnings. Either way, take it seriously if someone suggests your website might be hacked. At least use Sucuri to find out if there's anything obvious.
If you do find a problem that could harm those who show up on your website, it's best to redirect away from the website. In the case mentioned here, the church had a website hosted on a different server, so only the school website was hacked and dangerous. You do not really have to let the world know you're website's been turned into a malware factory, but you should shut it down immediately.
The "Then What?" phase comes next. Replace the website and wait. Ask Google to forget your problems with Webmaster Tools. Write articles, link to the website, and ask people to come back.
Most Lutheran church and school websites are not hacked. This was the first I'd seen in about 200 assessments. But ineffective websites aren't always just about being hacked, and feel free to contact me if you want a free website evaluation that will give you simple advice.