How to Scan a Website for Malware and Fix Hacked Sites

There are numerous website malware removal tools and services available that can scan your website, isolate the infection, and remove it for good. Most companies also offer blacklist removal from Google and other website blacklists. However, not every option is trustworthy, and some malware removal services could actually put your site at further risk of infection.

If you need to scan your website for malware or fix a hacked website immediately, these services provide both emergency malware removal services and ongoing website security to protect against infections.

7 best website malware removal tools and services

Of the many website malware removal tools and services on the market, the best options to consider include:

  1. SiteGuarding: Best all-around service to fix hacked sites
  2. Sucuri: Great for small budgets
  3. Wordfence: Best for WordPress websites
  4. SiteLock: Partnered with multiple hosting companies
  5. Comodo cWatch: Offers free website malware removal
  6. Malcare: Offers high-quality, free scanning for WordPress
  7. GoDaddy: Provides a low-cost website security option

When my professional website got infected with malware last year, I didn’t know until a visitor told me she was getting weird pop-ups after hitting my home page. I wasn’t able to replicate the issue myself, so I ignored it—until several other users told me they experienced the same thing. I only discovered the threat after performing a deeper-level malware scan on my site.

Thankfully, I avoided any serious problems, but if you believe your website was compromised and is serving up malware, the consequences could be significant. Google may put your website on its blacklist and remove your site from search results.

Because of the seriousness of website malware, we researched several dozen small and large malware removal services and then whittled our list down to seven trustworthy providers that can help repair hacked sites.

Criteria for a good website malware removal service

For website malware removal, you’ll want to opt for a service that meets most or all of the following criteria:

  • Has a good reputation
  • Offers scanning and removal at a reasonable cost
  • Provides dedicated Content Management System (CMS) plugins/extensions (for example, for WordPress, Joomla, or Drupal)
  • Can also work with multiple CMS and custom-coded sites
  • Provides a free scanning tool or service
  • Offers blacklist removal (Google at a minimum)
  • Capable of removing multiple forms of website hacking and malware
  • Offers multiple communication methods (phone, email, live chat)
  • Provides continued site protection and support after restoration, which includes a web application firewall (WAF) as well as regularly-scheduled malware scanning and removal

Let’s explore each of these options in more detail below.

1. SiteGuarding

Not to be confused with the similarly-named service (SiteGuard), SiteGuarding is a website security company that offers a litany of unique services and features that make it a standout among the other options on our list. The service maintains web security protection for a long list of CMSs and provides both regular malware removal and emergency malware removal for when your website suffers a major hack.

The company doesn’t boast an extensive name-branded client list like Wordfence or Sucuri. Still, most reviews from various review aggregation sites are overwhelmingly positive. It also provides plugins/extensions for half a dozen popular and lesser-used content management systems.

Notable features

The list of features you get through SiteGuarding depends on what you’re using the service for. If you’re signing up for malware removal (regular or emergency services), you’ll get virus cleaning and backdoor removal. The company promises to clean hacked websites within 24 hours. In fact, SiteGuarding advertises emergency malware removal in as little as 1–3 hours.

Unlike with most options on this list, malware removal is a one-time service with SiteGuarding instead of part of a subscription.

Alongside cleaning your site, the SiteGuarding malware removal service offers:

  • Blacklist checking removal from multiple blacklists (Google, McAfee, Norton)
  • Core files check on up to 10,000 WordPress and Joomla CMS files
  • SQL injection prevention
  • Analysis of website backups and server logs
  • Website acceleration
  • Installation of security plugins (Portal plan only)
  • Website monitoring (Portal plan only)

The features you get will depend on which removal plan you purchase, with prices ranging from $49.95 to $200 USD for one site. Multisite malware removal will come with an additional cost.

SiteGuarding offers not just one, but five separate free website scanning tools. You can check your site against the company’s Outbound Link Scanner, Malware Scanner, Spam SEO Scanner, Blacklist Checker, and a Website Antivirus Scanner (requires installation onto your website as a PHP file). The company also offers a free security audit, which can be initiated over email or live chat.

The service’s free scanners are of questionable effectiveness, however, so we recommend using the free security audit instead.

Pricing

With SiteGuarding, you’ll be able to remove website malware using the following options:

  • Malware Removal Only: $49.95
  • High Priority Malware Removal: $109.95

You can also choose a package that offers malware removal, bug fixes, and more website security options:

  • Blog Package: $100
  • Standard Package: $125
  • Business Package: $150
  • Portal Package: $200

Note that blacklist removal does not come with the “Malware Removal Only” service. If you want blacklist removal, you’ll need to opt for one of the extended packages.

Here’s what each extended package includes:

Blog Package: Up to 1,000 core files checked for WordPress CMS, backdoor removal, SQL injection prevention, blacklist removal (Google only), and a 30-day guarantee.

Standard Package: Everything in the Blog Package, as well as up to 5,000 core files checked for WordPress and Joomla CMS, blacklist removal for Google, McAfee, and Norton, and security analysis on website backup server logs.

Business Package: Everything in the Standard Package, as well as up to 10,000 core files checked, website acceleration, and a 60-day guarantee.

Portal Package: Everything in the Business Package, as well as 10,000+ core files checked, security plugin installation as needed, three months of full website monitoring, and a 90-day guarantee.

If you’re looking to extend your security benefits, SiteGuarding offers website security plans similar to what’s available through the other companies on the list. Prices vary based on what you’re looking for and the number of sites you want to cover.

Prices start at $6.95 per month, with a $19.95 per month option that will remove malware from already-hacked websites, protect your site with a web application filter and other security measures, and offer unlimited malware removal and hack fixing at least once per month going forward.

Website malware removal score – 8.5 out of 9

Based on our criteria, SiteGuarding receives 8.5 out of 9 for its website malware removal tool and service.

Pros:

  • Low cost for website hack repair and removal
  • An extensive list of features and services
  • Offers a separate emergency malware removal option
  • Provides comprehensive security protection subscriptions that include malware removal
  • Offers free security audits with methods to contact support
  • Offers a long list of major and minor CMS plugins/extensions

Cons:

  • Overcomplicated malware removal and website security options
  • Free scanners of questionable effectiveness
  • Emphasizes functionality with WordPress and Joomla over other CMSs

Comprehensive security protection:SiteGuarding advertises emergency malware removal in as little as 1–3 hours. Prices start at $6.95 per month for a basic package.

2. Sucuri

Sucuri is a well-known website security company offering a wide range of malware scanning and website malware removal services. This option comes with a high level of trust and a top-notch reputation, especially for those who rely on WordPress. It’s trusted by a few popular WordPress development companies, including wpbeginner, iThemes, and Yoast, and several major universities (Northwestern, Duke, New York, and George Washington).

This is not a good option if you’re just looking for a short-term fix for a hacked website, however. Sucuri will perform emergency fixes for hacked websites, but only through an annual subscription. That said, if you plan to increase your website’s security following a hack removal, Sucuri is a great option for both the emergency hack fix and for continued site protection.

Notable features

Sucuri is designed not just as a malware removal tool, but also a website performance enhancer. As such, if you have to fix a hacked website, it will serve your purpose but will extend those benefits to include regular malware scanning, a high-powered Web Application Filter (WAF), virtual patching and hardening, DDoS mitigation, and more. And unlike SiteLock, all of Sucuri’s subscription options offer unlimited page scans, making it a preferable option for larger enterprise websites and affiliate sites with a lot of pages.

Additional features include:

  • Blacklist removal and reputation monitoring
  • Stops zero-day malware
  • Blocks hacks and brute-force attacks
  • Provides an Intrusion Detection System (IDS)
  • SSL monitoring
  • File change detection
  • Utilizes a heuristic correlation engine (machine learning tool used to detect malicious activity across the network)

Sucuri also offers a free, external website scanning tool. You can use this to see if your website currently carries any easily-detected malware, which is particularly beneficial if you believe your website was hacked and is now sending users popups, redirects, or other user-facing incidents.

(Note that Sucuri’s external scanning tool is not a perfect solution, however, and can quite easily miss deeper-level threats. It’s a good starting place, but if you suspect a serious hack exists that’s not showing up in the free scan, contact Sucuri immediately.)

The free tool not only scans for known external threats but also checks your site for blacklisting.

Sucuri scan a website for malware and fix hacked site

We found Sucuri’s free scanner will send back some false information about security threats at times. For example, the tool incorrectly states my professional website does not include a redirect from HTTP to HTTPS (untrue) and that there’s no web application firewall (also untrue).

Pricing

The biggest downside to Sucuri is that it only offers annual subscription plans. If you’re just looking for an emergency website repair, you’ll be stuck with Sucuri for a year unless you utilize the 30-day money-back guarantee. That said, you’ll get a year of added protection against further threats, which may be worth it in the long run.

Unless you’re purchasing a custom plan for an enterprise with multiple websites, Sucuri offers three protection plans for most users:

  • Basic: $199/year
  • Pro: $299/year
  • Business: $499/year

The main difference between these options is how frequently its tool scans for threats. Basic offers website malware scans and other security scans every 12 hours; Pro, every 6 hours; and Business, every 30 minutes. An additional limitation for Basic is that it doesn’t include SSL certification protection.

Website malware removal score – 8 out of 9

Based on our criteria, Sucuri receives 8 out of 9 for its website malware removal tool and service.

Pros:

  • Highly-respected company and service
  • Effectively removes malware and offers extended protection
  • Unlimited malware removal and hack fixes
  • CMS plugins/extensions for WordPress and Joomla
  • Offers blacklist removal and reputation
  • Provides free, external website malware scanning tool
  • Lower cost than most competitors

Cons:

  • Only offers annual subscriptions
  • Only covers one website per subscription without an Enterprise plan

Lower cost than most competitors:Effectively removes malware and offers extended protection. Comes with a 30-day money-back guarantee so you can try it risk free.

3. Wordfence

If your website is running on WordPress, Wordfence should be at the top of your list. Wordfence specializes in WordPress sites (as you may have guessed by the name). Despite some previous functionality with websites running on other CMSs, including Joomla and Drupal, its current focus is solely on providing security options for WordPress sites.

The Wordfence WordPress plugin has been downloaded over 100 million times, and its service has been referenced in major media outlets, including ArsTechnica, The Register, BleepingComputer, and Threatpost.

Notable features

You can download Wordfence directly to your WordPress CMS as a plugin. The service offers real-time malware scanning, a firewall, and IP blacklisting. You’ll also get:

  • Two-factor authentication for your site
  • Country blacklisting
  • 24/7 premium support
  • Leaked password protection
  • Live traffic monitor
  • Core, theme, and plugin file repair
  • Manual blocking

Additionally, Wordfence offers immediate, one-time website hack removal and website cleaning for $179. The emergency malware removal option offers:

  • Malware removal and other website hack cleaning from an unlimited number of website pages
  • Analysis of security flaws that caused the website infection
  • Removal of malicious code and links from posts, comment sections, and website source code
  • An in-depth report of the investigation and removal process and a checklist for future hack prevention
  • Blacklist removal from over 20 search engines and anti-spam blacklisters, including Google, Bing, and Symantec
  • One year of Wordfence Premium

If you want to check your website for free with Wordfence, you’ll need to install the WordPress Plugin, create a free account, and then scan your site from your Wordfence account.

Wordfence website malware scanning fix hacked sites

Free scans will not offer malware cleaning for sites already infected with malware, however. If you want to fix a hacked site you’ll need to sign up for Premium or use the one-time website hack removal.

Pricing

As mentioned, you have two options for Wordfence: emergency website hack removal or Wordfence Premium.

  • Wordfence Free (limited functionality)
  • Wordfence Premium: $99/year per website
  • Emergency Website Hack Removal: $179 (includes one year of Wordfence Premium)

If you need hack removal, you’ll need to opt for the emergency website cleaning option. You can choose between Wordfence Free and Wordfence Premium, both of which are feature-rich. However, Wordfence Premium offers a larger benefit for high-traffic sites.

Wordfence Free: Offers endpoint security, malware signature updates (delayed 30 days in free version), web application firewall (WAF) support, malware scanning, file repair, checks for malicious links and comments, and a live traffic monitor, among other benefits.

Wordfence Premium: Everything that comes with the free version, but adds real-time firewall protection, two-factor authentication, checks for blacklisting of your website, and blocked requests from blacklisted IPs and countries.

If you have multiple websites and want to sign up to Wordfence Premium, you’ll need to purchase multiple licenses. Wordfence offers a discount if you purchase additional licenses, and additional discounts if you purchase multi-year subscriptions.

Website malware removal protection score – 7 out of 9

Based on our criteria, Wordfence receives a 7 out of 9 for its website malware removal tool and service.

Pros:

  • Highly-respected WordPress security tool
  • WordPress plugin
  • Low-cost subscription and emergency hack removal
  • Extensive features
  • Some free options
  • Free version available
  • Plugins/extensions available for multiples CMSs: WordPress, Joomla, Drupal, Magento, OpenCart, phpBB, and PrestaShop

Cons:

  • Limited to no functionality for websites outside of the WordPress CMS
  • Limited contact and support options

4. SiteLock

SiteLock is one of the best-known website security companies on the market, offering multiple plans and a large number of features and services for those who need website malware removal. It’s also a viable option to consider for further site protection against outside threats. The service has been used by some household names across various industries, such as The Tennis Channel website, and partners with a few hosting companies (including HostGator and GoDaddy) to provide website security.

Notable features

SiteLock earns a passing score on most of our criteria for website malware removal. This service can scan for and remove malware in WordPress, Joomla, Drupal, and other open-source content management systems. For WordPress and Joomla, you can install a dedicated plugin/extension that will run backend malware scans and help determine if you have infected plugins, files, or other threats.

Outside of malware scanning and removal, SiteLock scans for:

  • Infected or vulnerable applications
  • Network port vulnerabilities
  • External redirects
  • SQL and XSS threats
  • Spam

While there is a free risk assessment, SiteLock doesn’t offer this as a separate, DIY tool to scan a website externally for threats. You’ll need to contact SiteLock directly with your name, phone number, email address, and website address. Setting this up means waiting for a return call and talking to a live agent, so if you need immediate malware removal (for example, your website was removed by your hosting company due to the extent of the malware or hack), it’s better to immediately sign up for one of SiteLock’s malware removal and site restoration options.

Pricing

There are three pricing tiers to choose from if you need malware removal:

  • SecureStarter: $30/month
  • SecureSpeed: $50/month
  • SecureSite: $70/month

All three options perform automatic malware scanning and removal, but SiteLock only offers complete emergency website restoration, hack removal, and blacklist removal through SecureSpeed or SecureSite.

The key differences between these options are the number of pages that can be scanned, and the amount of additional protection you get outside of malware removal.

SecureStarter: Good for light malware removal but does not offer SiteLock’s web application firewall (WAF). It will scan up to 500 pages once per day.

SecureSpeed: Will scan up to 500 pages once per day, includes SiteLock’s WAF, and offers one-time site restoration for hacked websites.

SecureSite: Will scan up to 2,500 pages constantly. SecureSite provides unlimited hack repair and blacklist removal, while SecureSpeed subscribers get this service just once upon signing up. This option also provides automated WordPress, Joomla, and Drupal patching, database scanning, and database cleaning.

Website malware removal score – 7 out of 9

Based on our criteria, SiteLock receives 7 out of 9 for its website malware removal service.

Pros:

  • Fast and trustworthy website malware removal and hack repair
  • Blacklist removal
  • Daily scans and regular malware removal after hack repairs
  • WordPress and Joomla plugins/extensions

Cons:

  • Pricier than most competitors
  • SecureSpeed option only includes one hack repair and blacklist removal. Using SiteLock for repeat hacks can be expensive
  • Requires monthly or yearly subscription to remove malware and repair a hacked site
  • An extremely limited number of page scans compared to other services

5. Comodo cWatch

Comodo’s cWatch is one of the only free website malware removal options on the market, making it one that’s a bit hard to pass up if you’re looking for a quick fix. cWatch makes big promises, including the promise to remove website malware within 30 minutes, even through the free option.

The service was formerly called Web Inspector, but cWatch informed us that all Web Inspector operations are now being forwarded over to cWatch.

Notable features

Comodo advertises a range of malware scanning and removal features. For those who want to keep the protection going after fixing a hacked site, there are numerous protection options designed to ensure your website is protected against future threats.

cWatch offers “incident management and remediation” (their term for malware removal for a hacked website). For those who sign up for the monthly subscription option, cWatch offers anomaly detection, checks for unpatched vulnerabilities, and offers an extensive WAF.

Additional features include:

  • Checks for correlations between repeat events
  • Automatic incident alerts
  • SEO poisoning recovery
  • Persistent threat detection
  • CDN threat management and performance enhancement

While cWatch technically doesn’t offer a free scan, you can still use the free Web Inspector external malware scanning tool. As stated, Web Inspector is technically expired, but Comodo has yet to disable either the Web Inspector website or the free scanning tool.

You can use the malware scanner to determine if your website is blacklisted due to malware, whether your CMS has any threats that can be identified from an external scan, and whether there are any content and HTTP security threats on your website.

cwatch website malware fix hacked sites

Pricing

You can fix website hacks with cWatch using three different options:

  • Basic: Free
  • Pro/Complete Protection: $9.90/month
  • Premium/Advanced Protection: $24.90/month

Comodo is one of the only options on the market that offers free website malware removal. There are some limitations to the free removal option, of course, which includes limited tech support, no WAF, no ongoing monitoring following the malware removal, and importantly, no website blacklist removal.

The Pro/Complete Protection and the Premium/Advanced Protection options differ primarily in how much hands-on assistance you’ll receive from Comodo. The primary difference between the two is that the Premium plan offers a dedicated CSOC analyst you can contact at any time, more control of your firewall rules, and reverse malware engineering. You’ll also get scans every four hours with Premium, versus every six hours with Pro/Advanced Protection.

Website malware removal score – 7 out of 9

Based on our criteria, Comodo cWatch receives 7 out of 9 for its website malware removal tool and service.

Pros:

  • Free website malware removal option
  • Low cost extended malware scanning and protection plans
  • Fast customer service response
  • Blacklist removal with paid options
  • Extensive WAF with paid options
  • Hands-on support with Premium plan

Cons:

  • Less reputable and less commonly recommended by top-level sites and services
  • No website blacklist removal with the free option
  • No WordPress or Joomla plugins

6. Malcare

It’s probably best to think of Malcare as a direct Wordfence competitor. Designed specifically for websites running the WordPress CMS, Malcare offers a plugin and service that will fix hacked WordPress sites and maintain continuous protection.

While servicing only WordPress sites is certainly a limitation, Malcare has been used and is trusted by some fairly big names, including Yoast, Adobe, and Intel. The company currently boasts of having 20,000+ sites covered by its service.

Notable features

If you just need emergency malware removal, Malcare offers a one-time hacked website fix that includes:

  • Malware scanning and removal
  • Dedicated security analyst review
  • A detailed report on findings and actions taken
  • WordPress hardening
  • Login protection

Those who need added protection may want to consider the subscription-based option. Malcare provides a long list of features here, to include fast and automated malware removal, daily scanning, and a user-friendly dashboard with extensive site stats.

The subscription-based website security service also offers:

  • A comprehensive WAF
  • Protection from known vulnerabilities
  • Website hardening, including updated security keys
  • Automatically disable unwarranted plugin installations
  • Prevent file editing
  • Alerts for suspicious logins
  • CAPTCHA logins
  • IP blocking
  • Automatic implementation of other WordPress-recommended security recommendations

Unfortunately, Malcare doesn’t appear to offer blacklist removal from Google or other blacklisting sites, neither in its emergency malware removal service or its subscription-based website protection plans.

Finally, there’s a free scanning tool available from Malcare. You’ll need to install the Malcare plugin to your WordPress site in order to perform the scan.

Pricing

Malcare offers three security packages, as well as a (rather pricey) emergency malware cleanup service.

  • Emergency Malware Removal: $249
  • Basic Subscription: $8.25/month
  • Plus Subscription: $12.41/month
  • Advanced Subscription: $20.75/month

The service makes a rather bold promise: If it fails to remove your website malware, the company will refund you three times the amount you paid for removal.

Website malware removal score – 6.5 out of 9

Based on our criteria, Malcare receives 6.5 out of 9 for its website malware removal tool and service.

Pros:

  • Effective free malware scanner
  • Low-cost website protection and malware scanning
  • Well-respected and trusted service
  • High-quality WordPress plugin

Cons:

  • No website blacklist removal
  • Expensive emergency malware removal service
  • Only works with WordPress

7. GoDaddy

GoDaddy became a household name in the early 2000s thanks to its rather scandalous TV advertisements. The company has since moved on and is one of the most-used website hosting companies in the world. It now offers other website services, including emergency malware removal.

Notable features

GoDaddy doesn’t offer many details about how its Express Malware Removal service works. The company promises its technicians will get started reviewing your site’s security and infection status within 30 minutes but doesn’t tell you how long full malware removal will take.

Beyond that, GoDaddy states the service comes with:

  • Continued protection for one year
  • A web application firewall (WAF)
  • Removal of any other malware during your year-long subscription
  • Google blacklist removal
  • Malware scanning alerts
  • Functionality with almost any CMS and custom-coded site
  • 24/7 customer service

There’s no free scanning tool or free audit with GoDaddy. You’ll need to purchase the Express Malware Removal service in order to scan your website for malware and other threats if you opt for this service.

Pricing

GoDaddy offers just one website malware removal option:

  • Express Malware Removal: $299.99/year

The company will auto-renew this service for $299.99 per year, so we recommend canceling it before the year is up to avoid being charged.

We recommend canceling after your yearlong malware removal subscription because the company also offers a Website Security subscription plan for $5.59 per year. This service is advertised to stop hacks before they happen, but can be used to remove malware infections if they do occur. However, GoDaddy will only let you sign up to it prior to a website hack and not after.

As such, removing website hacks with GoDaddy can be very expensive if you’re acting after the fact, but if you pre-emptively sign-up to its subscription-based website security service and get a hack afterward, malware removal is inexpensive.

There are three subscription options under GoDaddy’s Website Security service:

  • Essential: $5.99/year
  • Deluxe: $15.99/year
  • Ultimate: $23.99/year

Essential: Offers a 12-hour response time, Google blacklist monitoring and removal, and unlimited malware removal and hack repair.

Deluxe: Provides all of the above, plus WAF malware prevention, CDN performance accelerator, and DDoS mitigation.

Ultimate: Offers everything from Deluxe, but with a six-hour response time and website backup and restoration.

Website malware removal score – 6.5 out of 9

Based on our criteria, GoDaddy receives 6.5 out of 9 for its website malware removal service.

Pros:

  • Well-known service
  • Offers emergency malware removal
  • Provides blacklist removal
  • Works with most CMS and custom-coded sites
  • Multiple forms of support contacts

Cons:

  • No dedicated CMS plugins
  • Expensive for emergency malware removal
  • No free site scanning options
  • Mixed reputation despite the well-known name

What to do if your website is infected with malware

To remove website malware and recover from a website hack, you’ll need to do the following:

  1. Perform an official scan of your website to assess the problem
  2. Isolate where the issues are on your website
  3. Remove the malware using dedicated malware removal tools or services
  4. Perform backups of pages and files if necessary
  5. Improve website security to protect against further infections
  6. Alert your website’s users if the malware stole user data
  7. Alert your local authorities or the FTC if a data breach occurred that resulted in compromised consumer data
  8. Check to see if your website’s SEO rankings were negatively impacted
  9. If necessary, request to be removed from domain blacklists

Below, we’ll lay out everything you need to understand about why your website may have been infected, how to scan a website for malware, and what you can do to prevent future website infections.

How did my website get infected?

According to SiteLock, around 18.5 million websites are infected with malware at any given time. Meanwhile, over 70 percent of websites contain critical vulnerabilities. For most websites, and especially smaller sites without hefty enterprise security budgets, it’s less an issue of “if” your website will get infected or hacked, but “when.”

There are several common ways a website can get infected:

  1. SEO spam malware (spamdexing)
  2. Defacement
  3. Website misconfiguration
  4. You or your web developer installed infected files onto the website (usually in the form of plugins or templates in your CMS, such as WordPress or Joomla!)
  5. The exploitation of vulnerable scripts on your site through the use of cross-site scripting (XSS) attacks
  6. Brute-force attacks from weak passwords
  7. FTP or HTTP interception
  8. Poor server security (often out of your control if you’re using managed services)
  9. Backdoors left from unscrupulous web developers

Multiple other threat vectors exist as well. However, regardless of how a website gets infected, contending with website malware can be a challenge. If even one page on your website gets infected or hacked, your Google page rankings could go crashing to the ground, significantly and negatively impacting your SEO ROI.

Google and other companies are also known to blacklist virus-infected websites, and a particularly bad infection can even cause Google to remove your website from its search results altogether.

How do I scan a hacked website?

There are three ways to scan a hacked website for malware:

  • Use a free website malware scanning tool
  • Install a plugin on your CMS to scan for backend malware
  • Use a service that provides free or paid website malware scanning

From there, you’ll need to determine if there’s a problem that needs immediate resolution. If no scans find a problem, you’re likely not infected. However, note that free, external scans can be faulty, so if you’re still getting reports from website users about issues like popups and redirects, it’s best to pay for a more extensive internal scan.

How do I fix a hacked website?

Different tools and services exist to make the removal of malware from a website much simpler. Some tools can be installed directly onto your Content Management System (CMS) (such as WordPress or Joomla) if you’re using one. Others operate as server-site endpoint security.

Services that clear up these website malware infections for you may employ security professionals to fix the problem, and then set up a software solution to help prevent further infections. Others will rely solely on automated software to do the brunt of the work and only deploy security professionals in unique cases.

As Sucuri notes, website owners can do this themselves, but unless you’re a skilled programmer, you’re unlikely to know what to look for and may not know how to fix the problem if you do find something. A DIY approach can also be costly in terms of how much time you put into trying to fix it yourself.

We recommend you utilize a professional service to locate and remove malware from your website. Using a trusted managed service can help prevent any serious consequences related to deleting the wrong files, and missing important or critical security flaws and infections.

Common website security weaknesses

If you’ve recovered from a website hack, your next step is going to be to shore up your website’s weak spots. Here are a few areas to consider to help avoid getting additional website malware.

Password protection

Weak admin passwords make it easy for hackers to gain access to your backend. If you’re running WordPress, we highly recommend you install Jetpack if you haven’t already. This plugin will provide useful site stats, but will also help prevent malicious login attempts.

As well, make sure you use strong passwords. WordPress automatically creates strong passwords for new user accounts, but make sure any editors, writers, contributors or others who have password access to your WordPress site are also using strong passwords.

FTP and HTTP/HTTPS

When it comes to FTP and HTTP interception, avoid logging in to your site’s FTP over public wifi, and make sure any sites you visit or enter personal information into are using HTTPS instead of HTTP. Heed any warnings you might receive from Google or your personal antivirus software that warns of potentially malicious websites or links.

Additionally, if you haven’t done so, upgrade your site to use SSL encryption (HTTPS). Not only will this help your Google rankings, but SSL encryption helps prevent site hacking attempts.

Unfortunately, if you’re using managed services and not running your own web server for your website, you can’t do too much about poor server security. However, you may want to consider only using reputable web hosting companies. The same goes for web developers you contract with to work on your site. Not everyone is trustworthy, but you’ll want to make sure any developers or development companies you use have a good reputation and verified past work.

Infected plugins on WordPress or Joomla

If you’re operating and managing a website on your own or with a small team, your biggest concern will be cross-site scripting and infected plugins from your CMS.

Not all issues with your site will be because of viruses or other malware. In fact, if you suspect your site may be broken because of an infection or malware, there’s a good chance it’s actually broken because of an outdated plugin, or a conflict between two or more incompatible plugins. Nevertheless, malware-infected plugins do exist in abundance in many CMS environments, particularly in WordPress.

Ironically enough, there are numerous WordPress plugins out there designed to scan your other WordPress plugins for malware. We suspect many of these malware-scanning plugins carry viruses themselves. Simply put, don’t install an unvetted plugin designed to root out malware in other plugins. Only install verified, trusted, and updated plugins.

Script vulnerabilities

Scripts are often considered the backbone of the web and are part of what helps make websites interactive. They also allow different websites to interact with each other. However, that interactivity can also create vulnerabilities, particularly if the script itself is hijacked or designed with malicious intent.

A hijacked script can allow hackers to insert malicious code into one or multiple websites at the same time, so long as that vulnerability is known.

It’s quite possible that your site is running numerous scripts that give other sites partial access to your site and users. If those scripts are malicious or being used to serve malicious code to your website, you may not be able to do much about it until you figure out where the problem is and remove it.

Notably, even if your website is not hosting the malware, if the script is a known source of malicious attacks, Google may still tag your site as hosting malware and blacklist you.  

Infected tags

Your website may also contain tags which are serving up malware without your knowledge. A website tag is typically a piece of Javascript code held within its own container and is usually there to gather and send data. Tags are useful for ranking in Google, but can also be used maliciously.

The containers that hold these tags get scanned by Google, and, according to the company, a tag that points to a malicious website won’t fire (the tag won’t do what it’s intended to do). That can have deleterious effects on your website’s page ranking on Google, as malicious tags can insert unwanted URL and URL redirects, popup ads, browser search bars or side-search bars, and can significantly slow down page loading speeds (another page ranking factor).

If you’re using Google Tag Manager, you’ll get an email about infected tags, but even if you aren’t, your site can get flagged for malware and you may not know it until either a user warns you about some of the aforementioned problems (such as strong popups), or you find malware popping up in website malware scans.

See also: 8 Common types of malware explained