NHS Scotland Domains Hijacked to Serve Dodgy Content — What Small Businesses Can Learn

This week, news broke that multiple NHS Scotland GP practice websites had been compromised. Instead of providing patients with surgery information and appointment details, these domains were quietly redirecting visitors to adult content and illegal sports streaming sites. The hijacking had gone unnoticed for months — possibly since January 2026.

If you're a small business owner thinking "that's an NHS problem, not mine," think again. The attack methods used here are the same ones targeting small business websites every single day. Let's break down what happened and, more importantly, what you should be doing to protect your own online presence.

What Actually Happened?

At least two GP practice websites operating under the official scot.nhs.uk domain were found to be serving links to pornography and pirated sports streams. The compromised sites had been indexed by Google, meaning anyone searching for these practices could have stumbled onto the illicit content.

One of the affected domains was a legacy website — an old site the practice had stopped using but never properly decommissioned. The other was the practice's live, active website. In both cases, the underlying cause appears to be a compromised WordPress installation rather than a breach of NHS Scotland's core infrastructure.

NHS Greater Glasgow and Clyde confirmed that no patient data was exposed and that the practice's primary systems were not affected. But the reputational damage and the potential for patient harm through malicious redirects is significant.

Why This Matters to Your Business

Here's the uncomfortable truth: if a website operating under an official government health domain can be hijacked and left compromised for months without anyone noticing, it can absolutely happen to your business website too.

Small businesses are disproportionately targeted by this type of attack because they typically have fewer resources dedicated to website maintenance and security monitoring. Attackers aren't interested in your business specifically — they want your domain's search engine authority to boost their own dodgy content.

The consequences for a small business can be severe:

• Google blacklisting — your site gets flagged as unsafe and disappears from search results
• Customer trust destruction — visitors see inappropriate content associated with your brand
• Data breach liability — if attackers access customer information through your compromised site
• Recovery costs — cleaning up a hacked site can cost thousands of pounds
• ICO scrutiny — if personal data is involved, you may face regulatory action

The Legacy Website Problem

One of the most important lessons from this incident is about legacy websites. When The New Surgery in Kilmacolm moved to a new domain, their old website was left in place, unmanaged and unmonitored. Attackers eventually found it and exploited it.

Many small businesses have old websites sitting on hosting accounts they've forgotten about. Perhaps you redesigned your site two years ago but never took the old one down. Maybe you registered a domain for a project that never launched but left a basic WordPress installation on it. These forgotten digital assets are prime targets.

Take an inventory of every domain and website associated with your business. If it's not actively in use, take it offline. If you can't take it offline, ensure it's redirected properly to your current site and that any underlying CMS is kept updated.

WordPress: The Double-Edged Sword

WordPress powers roughly 40% of all websites on the internet, making it an enormously popular target. The NHS Scotland compromise appears to have occurred through the WordPress installations rather than through DNS manipulation, which is actually the more common attack vector for small business sites.

If your business website runs on WordPress, here's your essential security checklist:

• Keep everything updated — WordPress core, themes, and every single plugin. Outdated plugins are the number one way attackers get in
• Remove what you don't use — deactivated plugins and unused themes are still vulnerable. Delete them entirely
• Use strong, unique passwords — and enable two-factor authentication on all admin accounts
• Install a security plugin — tools like Wordfence or Sucuri provide firewall protection and malware scanning
• Limit login attempts — prevent brute-force attacks by restricting failed login attempts
• Regular backups — automated, off-site backups mean you can restore quickly if the worst happens
• Choose your hosting wisely — managed WordPress hosting providers handle many security updates for you

How to Tell if Your Site Has Been Compromised

One of the most troubling aspects of the NHS Scotland incident is how long it went undetected. The compromised content had been indexed by Google for months. Here are warning signs to watch for:

• Unexpected pages appearing in Google search results for your domain (search site:yourdomain.co.uk regularly)
• Google Search Console warnings about security issues or manual actions
• Unusual spikes in traffic, particularly from overseas
• New admin users you didn't create
• Modified files, particularly in theme and plugin directories
• Customer reports of strange redirects or content

Set a calendar reminder to check these things monthly. It takes ten minutes and could save you thousands.

The Bigger Picture: Domain and DNS Security

Cybersecurity experts commenting on the NHS Scotland incident raised the possibility of DNS-level compromise — where attackers manipulate the records that tell browsers where to find your website. While this appears not to have been the case here, DNS attacks do happen to small businesses.

Protect yourself by enabling two-factor authentication on your domain registrar account, using registrar lock to prevent unauthorised domain transfers, and monitoring your DNS records for unexpected changes. Your domain name is one of your most valuable business assets — treat its security accordingly.

What to Do Right Now

Don't wait until your website is serving content that would make your customers blush. Take these steps today:

1. Audit your domains — list every domain and subdomain your business owns and check what's running on each one
2. Update everything — log into your website's admin panel and update WordPress, plugins, and themes immediately
3. Check Google — search site:yourdomain.co.uk and review every result. Anything unexpected needs investigating
4. Enable 2FA — on your website admin, domain registrar, and hosting control panel
5. Retire old sites — take down any websites or domains you're no longer actively using
6. Set up monitoring — free tools like Google Search Console and UptimeRobot can alert you to problems early

If it can happen to the NHS, it can happen to anyone. The difference is whether you spot it in days or months.