Website malware detection and removal: How to scan and fix hacked sites

There are numerous website malware removal tools and services available that can scan your website, isolate the infection, and remove it for good. Most companies also offer blacklist removal from Google and other website blacklists. However, not every option is trustworthy, and some malware removal services could actually put your site at further risk of infection.

If you need to scan your website for malware or fix a hacked website immediately, these services provide both emergency malware removal services and ongoing website security to protect against infections.

8 best website malware removal tools and services

Of the many website malware removal tools and services on the market, the best options to consider include:

1. SiteGuarding Best all-around service to fix hacked sites
2. Sucuri Great for small budgets
3. Site24x7 Website, network, and applications monitor with strong user behavior monitoring.
4. Wordfence Best for WordPress websites
5. SiteLock Partnered with multiple hosting companies
6. Comodo cWatch Straightforward service for website malware removal
7. Quttera THREATSIGN! Low-cost malware removal for multiple platforms
8. Malcare Offers high-quality, free scanning for WordPress
9. GoDaddy Provides a low-cost website security option

When my professional website got infected with malware last year, I didn’t know until a visitor told me she was getting weird pop-ups after hitting my home page. I wasn’t able to replicate the issue myself, so I ignored it—until several other users told me they experienced the same thing. I only discovered the threat after performing a deeper-level malware scan on my site.

Thankfully, I avoided any serious problems, but if you believe your website was compromised and is serving up malware, the consequences could be significant. Google may put your website on its blacklist and remove your site from search results.

According to Google’s Transparency Report,  the number of sites “deemed dangerous” from 2020 to 2023 fluctuated between 2.4 million and 5 million per week.

The end result of your website staying live for an extended period while infected with malware could be even worse, you could damage the trust of your customers and lose their business for good.

A survey conducted by Okta and YouGov found that 88% of customers wouldn’t use the services or purchase products from a company they didn’t trust. Another survey — this time by PwC — found that 87% of consumers are willing to walk away and take their business elsewhere if, or when, a data breach occurs.

Because of the seriousness of website malware, we researched several dozen small and large malware removal services and then whittled our list down to seven trustworthy providers that can help repair hacked sites.

Criteria for a good website malware removal service

For website malware removal, you’ll want to opt for a service that meets most or all of the following criteria:

• Has a good reputation
• Offers scanning and removal at a reasonable cost
• Provides dedicated Content Management System (CMS) plugins/extensions (for example, for WordPress, Joomla, or Drupal)
• Can also work with multiple CMS and custom-coded sites
• Provides a free scanning tool or service
• Offers blacklist removal (Google at a minimum)
• Capable of removing multiple forms of website hacking and malware
• Offers multiple communication methods (phone, email, live chat)
• Provides continued site protection and support after restoration, which includes a web application firewall (WAF) as well as regularly-scheduled malware scanning and removal

Let’s explore each of these options in more detail below.

1. SiteGuarding

Not to be confused with the similarly-named service (SiteGuard), SiteGuarding is a website security company that offers a litany of unique services and features that make it a standout among the other options on our list. The service maintains web security protection for a long list of CMSs and provides both regular malware removal and emergency malware removal for when your website suffers a major hack.

The company doesn’t boast an extensive name-branded client list like Wordfence or Sucuri. Still, most reviews from various review aggregation sites are overwhelmingly positive. It also provides plugins/extensions for half a dozen popular and lesser-used content management systems.

Notable features

The list of features you get through SiteGuarding depends on what you’re using the service for. If you’re signing up for malware removal (regular or emergency services), you’ll get virus cleaning and backdoor removal. The company promises to clean hacked websites within 24 hours. In fact, SiteGuarding advertises emergency malware removal in as little as 1–3 hours.

Siteguarding offers malware removal as a one-time service as well as offering a subscription service.

Alongside cleaning your site, the SiteGuarding malware removal service offers:

• Blacklist checking removal from multiple blacklists (Google, McAfee, Norton)
• Core files check on up to 10,000 WordPress and Joomla CMS files
• SQL injection prevention
• Analysis of website backups and server logs
• Website acceleration
• Installation of security plugins (Portal plan only)
• Website monitoring (Portal plan only)

The features you get will depend on which removal plan you purchase. A one-time removal fee costs $49.95 and includes 14-days of subsequent protection. Subscriptions start at $109.95 a year, increasing to $995.95 a year for business users with up to five websites.

SiteGuarding offers not just one, but five separate free website scanning tools. You can check your site against the company’s Outbound Link Scanner, Malware Scanner, Spam SEO Scanner, Blacklist Checker, and a Website Antivirus Scanner (requires installation onto your website as a PHP file). The company also offers a free security audit, which can be initiated over email or live chat.

The service’s free scanners are of questionable effectiveness, however, so we recommend using the free security audit instead.

Pricing

With SiteGuarding, you’ll be able to remove website malware using the following options:

• Malware Removal with 14 days protection: $49.95
• Malware Removal with one month protection: $54.95
• Malware Removal with six months protection: $79.95
• Malware Removal with one year protection: $109.95

You can alternatively choose a subscription that offers malware removal, bug fixes, and more website security options:

• Basic Package: $109.95 per year
• Standard Package: $149.95 per year
• Premium Package: $249.95 per year
• Business Package: $995.95 per year

Note that blacklist removal does not come with the “Malware Removal Only” service. If you want blacklist removal, you’ll need to opt for one of the extended packages.

Here’s what each extended package includes:

Basic Package: Up to 10,000 core files checked for WordPress CMS, backdoor removal, SQL injection prevention, and malware removal.

Standard Package: Everything in the Basic Package, as well as up to 25,000 core files checked for WordPress and Joomla CMS, blacklist removal for Google, McAfee, and Norton, and security analysis on website backup server logs.

Premium Package: Everything in the Standard Package, as well as up to 100,000 core files checked, website acceleration, GEO blocking, bot protection, attack detection, and website backup.

Business Package: Everything in the Premium Package, as well as 800,000 core files checked, DDOS attack prevention, scans every 1,3,6, or 12 hours, and protection for up to five websites and 10 subdomains.

Website malware removal score – 8.5 out of 9

Based on our criteria, SiteGuarding receives 8.5 out of 9 for its website malware removal tool and service.

Comprehensive security protection:SiteGuarding advertises emergency malware removal in as little as 1–3 hours. Prices start at $9.95 per month for a basic package.

2. Sucuri

Sucuri is a well-known website security company offering a wide range of malware scanning and website malware removal services. This option comes with a high level of trust and a top-notch reputation, especially for those who rely on WordPress. It’s trusted by a few popular WordPress development companies, including wpbeginner, iThemes, and Yoast, and several major universities (Northwestern, Duke, New York, and George Washington).

This is not a good option if you’re just looking for a short-term fix for a hacked website, however. Sucuri will perform emergency fixes for hacked websites, but only through an annual subscription. That said, if you plan to increase your website’s security following a hack removal, Sucuri is a great option for both the emergency hack fix and for continued site protection.

Notable features

Sucuri is designed not just a malware removal tool, but also a website performance enhancer. As such, if you have to fix a hacked website, it will serve your purpose but will extend those benefits to include regular malware scanning, a high-powered Web Application Filter (WAF), virtual patching and hardening, DDoS mitigation, and more. And unlike SiteLock, all of Sucuri’s subscription options offer unlimited page scans, making it a preferable option for larger enterprise websites and affiliate sites with a lot of pages.

Securi offers a service level agreement to remove malware within a certain timeframe according to the plan you have. For Basic malware will be removed within 30 hours. For Pro this drops to within 12 hours. Business is faster still with malware removed within 6 hours.

Additional features include:

• Blacklist removal and reputation monitoring
• Stops zero-day malware
• Blocks hacks and brute-force attacks
• Provides an Intrusion Detection System (IDS)
• SSL monitoring
• File change detection
• Utilizes a heuristic correlation engine (machine learning tool used to detect malicious activity across the network)

Sucuri also offers a free, external website scanning tool. You can use this to see if your website currently carries any easily-detected malware, which is particularly beneficial if you believe your website was hacked and is now sending users popups, redirects, or other user-facing incidents.

(Note that Sucuri’s external scanning tool is not a perfect solution, however, and can quite easily miss deeper-level threats. It’s a good starting place, but if you suspect a serious hack exists that’s not showing up in the free scan, contact Sucuri immediately.)

The free tool not only scans for known external threats but also checks your site for blacklisting.

We found Sucuri’s free scanner will send back some false information about security threats at times. For example, the tool incorrectly states my professional website does not include a redirect from HTTP to HTTPS (untrue) and that there’s no web application firewall (also untrue).

Pricing

The biggest downside to Sucuri is that it only offers annual subscription plans. If you’re just looking for an emergency website repair, you’ll be stuck with Sucuri for a year unless you utilize the 30-day money-back guarantee. That said, you’ll get a year of added protection against further threats, which may be worth it in the long run.

Unless you’re purchasing a custom plan for an enterprise with multiple websites, Sucuri offers three protection plans for most users:

• Basic: $199/year
• Pro: $299/year
• Business: $499/year

The main difference between these options is how frequently its tool scans for threats. Basic offers website malware scans and other security scans every 12 hours; Pro, every 6 hours; and Business, every 30 minutes. An additional limitation for Basic is that it doesn’t include SSL certification protection.

Website malware removal score – 8 out of 9

Based on our criteria, Sucuri receives 8 out of 9 for its website malware removal tool and service.

Lower cost than most competitors:Effectively removes malware and offers extended protection. Comes with a 30-day money-back guarantee so you can try it risk free.

3. Site24x7

Site24x7 has a distinct advantage to spot website security issues by being located outside the company network as a cloud service. The service looks at the delivery of websites and how visitors use them. Part of that activity includes identifying performance impairing interference and malware actions.

The Site24x7 strategy adopts a more contemporary delivery model, using a cloud platform rather than delivering software for installation. It also leaps ahead at looking at the vulnerabilities that hackers are exploiting today, rather than being dragged down by a traditional antivirus approach.

The big threat to websites is through all of the APIs and services that their coding now employs. The coding complexity of web pages creates opportunities for hackers. Site24x7 can scan these advanced programming threats and block them, so website visitors are protected.

Notable features

The list of features each customer can access in Site24x7 depends on the selected package. Each of the four progressively more expensive paid editions includes more features.

The Site24x7 feature that is of most interest from a cybersecurity perspective is the Website Defacement system. This is the main website malware protection service in Site24x7 and it is one of the advanced features that subscribers are allowed to select from a menu of services.

The tasks performed by the Website Defacement Monitor include:

• Alerts to unauthorized addition or modification of HTML elements
• Monitoring for hacked links and other quality issues
• Identify changes in link sources
• Security infringement alerts
• Action to avert search engine results pages ranking downgrades
• Hijack mitigation
• Reputation protection and brand safeguards

The Website Defacement Monitor is available to subscribers of all paid editions of Site24x7.

Pricing

Site24x7 is charged for on a subscription basis. Customers can choose to pay for the service monthly or annually. Those who pay yearly get a lower rate on a per month basis than those on a monthly payment plan.

The four paid editions of Site24x7 are:

• Web Uptime: $108/year
• Pro: $420/year
• Classic: $1,068/year
• Elite: from $2,700/year

The difference between the plans lies in the number of services included in each. Advanced monitors available for selection with each edition are:

• Web transaction monitor
• Web page speed monitor
• Website defacement monitor
• Mail delivery monitor
• FTP monitor
• Application performance monitor
• Advanced Windows Apps – Microsoft SharePoint, BizTalk, Active Directory, Failover Cluster, Hyper-V, SQL and Exchange Monitoring,

The number of advanced monitors for selection that are included in the price increases with the price of each edition. The four editions are:

 Web Uptime:

• Monitor up to 25 websites/servers
• 1 minute poll frequency
• Tests from more than 120 locations
• 50 SMS/Voice credits per month
• Single user accounts
• Standard support

Pro:

• Monitor up to 40 websites/servers
• 5 network interfaces
• 200K RUM pageviews
• Tests from more than 120 locations
• 150 5MS/Voice credits per month
• Multiple user accounts
• Third-party integration
• Premium support

Classic:

• Monitor up to 100 websites/servers
• 10 network interfaces
• 1 million RUM pageviews
• Tests from more than 120 locations
• 250 SMS/voice credits per month
• Multiple user accounts
• Third-party integration
• Premium support

Elite:

• Monitor up to 250 websites/servers
• 5MRUM Pageviews & 50 sites
• Tests from more than 120 locations
• 400 SMS/voice credits per month
• Multiple user accounts
• Third-party integration
• Premium support

Each plan can be augmented by extra features for a monthly fee.

Website malware removal score – 8.7 out of 9

 Based on our criteria, Site24x7 receives 8.7 out of 9 for its website malware protection service.

Advanced Website defacement protection:SiteGuarding advertises emergency with early detection of security issues, scans entire web page for hacked links, identifies HTML changes, starting at $9/mo.

4. Wordfence

If your website is running on WordPress, Wordfence should be at the top of your list. Wordfence specializes in WordPress sites (as you may have guessed by the name). Despite some previous functionality with websites running on other CMSs, including Joomla and Drupal, its current focus is solely on providing security options for WordPress sites.

The Wordfence WordPress plugin has been downloaded over 100 million times, and its service has been referenced in major media outlets, including ArsTechnica, The Register, BleepingComputer, and Threatpost.

Notable features

You can download Wordfence directly to your WordPress CMS as a plugin. The service offers real-time malware scanning, a firewall, and IP blacklisting. You’ll also get:

• Two-factor authentication for your site
• Country blacklisting
• 24/7 premium support
• Leaked password protection
• Live traffic monitor
• Core, theme, and plugin file repair
• Manual blocking

Additionally, Wordfence offers immediate website hack removal and website cleaning as part of the Wordfence Response packages. This costs $950 plus tax per year. The packages include:

• Malware removal and other website hack cleaning from an unlimited number of website pages
• Analysis of security flaws that caused the website infection
• Removal of malicious code and links from posts, comment sections, and website source code
• An in-depth report of the investigation and removal process and a checklist for future hack prevention
• Blacklist removal from over 20 search engines and anti-spam blacklisters, including Google, Bing, and Symantec
• One year of Wordfence Premium

If you want to check your website for free with Wordfence, you’ll need to install the WordPress Plugin, create a free account, and then scan your site from your Wordfence account.

Free scans will not offer malware cleaning for sites already infected with malware, however. If you want to fix a hacked site you’ll need to sign up for Premium or use the one-time website hack removal.

Pricing

As mentioned, you have two options for Wordfence: emergency website hack removal or Wordfence Premium.

• Wordfence Free (limited functionality)
• Wordfence Premium: $119 per year
• Wordfence Care: $490 per year
• Wordfence Response: $950 per year

Wordfence Free: Offers endpoint security, malware signature updates (delayed 30 days in free version), web application firewall (WAF) support, malware scanning, file repair, checks for malicious links and comments, and a live traffic monitor, among other benefits.

Wordfence Premium: Everything that comes with the free version, but adds real-time firewall protection, two-factor authentication, checks for blacklisting of your website, and blocked requests from blacklisted IPs and countries.

If you have multiple websites and want to sign up to Wordfence Premium, you’ll need to purchase multiple licenses. Wordfence offers a discount if you purchase additional licenses, and additional discounts if you purchase multi-year subscriptions.

Website malware removal protection score – 7 out of 9

Based on our criteria, Wordfence receives a 7 out of 9 for its website malware removal tool and service.

5. SiteLock

SiteLock is one of the best-known website security companies on the market, offering multiple plans and a large number of features and services for those who need website malware removal. It’s also a viable option to consider for further site protection against outside threats. The service has been used by some household names across various industries, such as The Tennis Channel website, and partners with a few hosting companies (including HostGator and GoDaddy) to provide website security.

Notable features

SiteLock earns a passing score on most of our criteria for website malware removal. This service can scan for and remove malware in WordPress, Joomla, Drupal, and other open-source content management systems. For WordPress and Joomla, you can install a dedicated plugin/extension that will run backend malware scans and help determine if you have infected plugins, files, or other threats.

Outside of malware scanning and removal, SiteLock scans for:

• Infected or vulnerable applications
• Network port vulnerabilities
• External redirects
• SQL and XSS threats
• Spam

Malware removal service

SiteLock’s offers a standalone website malware removal service that automatically cleans malicious content from your website. This costs $199 and will clean your site within four to six hours. If your site doesn’t have a pre-existing infection, you can choose one of SiteLock’s plans to protect against future incidents of malware.

Pricing

There are three pricing tiers to choose from for the main SiteLock software — two of which include malware removal.

• Basic: $14.99/month
• Pro: $24.99/month
• Business: $34.99/month

All three options perform automatic malware scanning and removal, but SiteLock only offers complete emergency website restoration, hack removal, and blacklist removal through Pro or Business packages.

In addition, the Pro package comes with 5GB of backup, while the Business package comes with 10GB of backup, plus firewall PCI reporting, custom WAF rules editing, and 2FA for login areas via email or SMS.

Website malware removal score – 7 out of 9

Based on our criteria, SiteLock receives 7 out of 9 for its website malware removal service.

6. Quttera THREATSIGN!

Quttera offers one of the most extensive options on the market as far as platform support is concerned. While the service provides the same amount of protection and removal features as some of the top competitors, it also works on a larger number of website platforms than most other options on the list.

Quttera is a notable option to consider for those who may not be using the ever-popular WordPress CMS but instead opt for alternative platforms like Drupal, Joomla, SharePoint, Magento, and others.

Notable features

Quttera’s service for website malware removal provides a few key tools websites may need, including:

• Detailed reporting
• External link detection
• Detection of PHP-based threats, including PHP malware and PHP shells
• Unknown malware detection
• Emergency website hack fixing
• Blacklist monitoring for Google, Yahoo, and Bing
• No page limit for scanning
• Proprietary malware scanning tool
• Uptime monitoring

There are no free options with Quttera, and only two of the three subscription options include unlimited malware removal.

Features of every plan include:

• Client-side malware scanning
• Server-side malware scanning
• Uptime monitoring
• Blacklist monitoring
• Security report
• No page limit
• Web-based dashboard
• Web Application Firewall (WAF)
• Virtual patching and website hardening
• SSL certificate support

The Premium Security and Emergency plans also include the following:

• Automated and unlimited malware removal
• Hacking repair
• Full website auditing
• Google, Yahoo, and McAfee blacklist removal

You can find a free option of Quttera’s tools if you look hard enough. For example, there’s a free WordPress plugin that provides free malware scanning and limited removal features.

• Response time within 8 hours
• Unlimited malware removal and hack repair

For a small example of Quttera’s service, you can use its external malware scanning tool for free, as well.

Pricing

There are three subscription options available for Quttera ThreatSign!:

• Essential Security: $10/month
• Premium Security: $179/year
• Emergency: $249/year

The major difference between the Premium Security and Emergency plans is in the scan times and initial response times. The Premium Security package scans for malware every 6 hours and will respond to infections within 8 hours. The Emergency package scans for malware every 3 minutes and responds to infections within four hours.

Website malware removal score – 8 out of 9

Based on our criteria, Quttera THREATSIGN! receives an 8out of 9 for its website malware removal tool and service.

7. Comodo cWatch

Comodo’s cWatch is a pleasingly straightforward service with two subscription options: Pro and Premium.

Notable features

Comodo advertises a range of malware scanning and removal features. It offers “incident management and remediation” (its term for malware removal for a hacked website), as well as anomaly detection, a check for unpatched vulnerabilities, and an extensive WAF.

Additional features include:

• Checks for correlations between repeat events
• Automatic incident alerts
• SEO poisoning recovery
• Persistent threat detection
• CDN threat management and performance enhancement

Pricing

You can fix website hacks with cWatch using two different options:

• Pro/Complete Protection: $7.92 / month
• Premium/Advanced Protection: $19.92 / month

The Pro and the Premium options differ primarily in how much hands-on assistance you’ll receive from Comodo. The primary difference between the two is that the Premium plan offers a dedicated CSOC analyst you can contact at any time, more control of your firewall rules, and reverse malware engineering. You’ll also get scans every six hours with Premium, versus every 12 hours with Pro. Both versions offer unlimited hack repairs.

Website malware removal score – 7 out of 9

Based on our criteria, Comodo cWatch receives 7 out of 9 for its website malware removal tool and service.

8. Malcare

It’s probably best to think of Malcare as a direct Wordfence competitor. Designed specifically for websites running the WordPress CMS, Malcare offers a plugin and service that will fix hacked WordPress sites and maintain continuous protection.

While servicing only WordPress sites is certainly a limitation, Malcare has been used and is trusted by some fairly big names, including Yoast, Adobe, and Intel. The company currently boasts of having 20,000+ sites covered by its service.

Notable features

Malcare has a free plan that includes a daily malware scan, a firewall, vulnerability and uptime monitoring, and login protection.

It’s three paid plans include all this plus protection against bots and instant malware removal. The two priciest plans additionally allow for one-click staging and migration.

Unfortunately, Malcare doesn’t appear to offer blacklist removal from Google or other blacklisting sites, neither in its free plan or its subscription-based website protection plans.

Finally, there’s a free scanning tool available from Malcare. You’ll need to install the Malcare plugin to your WordPress site in order to perform the scan.

Pricing

Malcare offers three security packages in addition to the free plan.

• Basic Subscription: $99/year
• Plus: $149/year
• Pro: $299/year

These prices are for one site. Subscriptions are also available for three sites and 10. All plans come with a 14-day money-back guarantee and optional paid-for add-ons, such as real-time backups and visual regression tests.

Website malware removal score – 6.5 out of 9

Based on our criteria, Malcare receives 6.5 out of 9 for its website malware removal tool and service.

9. GoDaddy

GoDaddy became a household name in the early 2000s thanks to its rather scandalous TV advertisements. The company has since moved on and is one of the most-used website hosting companies in the world. It now offers other website services, including malware removal and site recovery.

Notable features

All GoDaddy website security plans come with:

• A web application firewall (WAF)
• Malware scanning alerts

The Advanced and Premium plans additionally come with unlimited site clean-ups and repair. Daily site backup is also provided.

Pricing

GoDaddy offers three subscription plans, with only the two pricier options offering site clean-ups and repair:

• Standard: $167.76 for the first two years then $311.76 every two years
• Advanced: $359.76for the first two years then $479.76 every two years
• Premium: $479.76for the first two years then $719.76 every two years

Standard: Offers a one-time annual site clean-up and repair, together with daily malware scanning.

Advanced: Offers unlimited site clean-ups and repair, together with 25GB of daily site backup. Provides a firewall, daily malware scans and protection against DDoS attacks.

Premium: Comes with 200GB of daily site backup, DDoS protection, and unlimited site clean-ups and repair.

Website malware removal score – 6.5 out of 9

Based on our criteria, GoDaddy receives 6.5 out of 9 for its website malware removal service.

What to do if your website is infected with malware

To remove website malware and recover from a website hack, you’ll need to do the following:

Below, we’ll lay out everything you need to understand about why your website may have been infected, how to scan a website for malware, and what you can do to prevent future website infections.

How did my website get infected?

As of January 2021, Google detected around 600-800 malware-infected sites per week. Meanwhile, over 70 percent of websites contain critical vulnerabilities. For most websites, and especially smaller sites without hefty enterprise security budgets, it’s less an issue of “if” your website will get infected or hacked, but “when.”

There are several common ways a website can get infected:

1. SEO spam malware (spamdexing)
2. Defacement
3. Website misconfiguration
4. You or your web developer installed infected files onto the website (usually in the form of plugins or templates in your CMS, such as WordPress or Joomla!)
5. The exploitation of vulnerable scripts on your site through the use of cross-site scripting (XSS) attacks
6. Brute-force attacks from weak passwords
7. FTP or HTTP interception
8. Poor server security (often out of your control if you’re using managed services)
9. Backdoors left from unscrupulous web developers

Multiple other threat vectors exist as well. However, regardless of how a website gets infected, contending with website malware can be a challenge. If even one page on your website gets infected or hacked, your Google page rankings could go crashing to the ground, significantly and negatively impacting your SEO ROI.

Google and other companies are also known to blacklist virus-infected websites, and a particularly bad infection can even cause Google to remove your website from its search results altogether.

How do I scan a hacked website?

There are three ways to scan a hacked website for malware:

• Use a free website malware scanning tool
• Install a plugin on your CMS to scan for backend malware
• Use a service that provides free or paid website malware scanning

From there, you’ll need to determine if there’s a problem that needs immediate resolution. If no scans find a problem, you’re likely not infected. However, note that free, external scans can be faulty, so if you’re still getting reports from website users about issues like popups and redirects, it’s best to pay for a more extensive internal scan.

How do I fix a hacked website?

Different tools and services exist to make the removal of malware from a website much simpler. Some tools can be installed directly onto your Content Management System (CMS) (such as WordPress or Joomla) if you’re using one. Others operate as server-site endpoint security.

Services that clear up these website malware infections for you may employ security professionals to fix the problem, and then set up a software solution to help prevent further infections. Others will rely solely on automated software to do the brunt of the work and only deploy security professionals in unique cases.

As Sucuri notes, website owners can do this themselves, but unless you’re a skilled programmer, you’re unlikely to know what to look for and may not know how to fix the problem if you do find something. A DIY approach can also be costly in terms of how much time you put into trying to fix it yourself.

We recommend you utilize a professional service to locate and remove malware from your website. Using a trusted managed service can help prevent any serious consequences related to deleting the wrong files, and missing important or critical security flaws and infections.

Common website security weaknesses

If you’ve recovered from a website hack, your next step is going to be to shore up your website’s weak spots. Here are a few areas to consider to help avoid getting additional website malware.

Password protection

Weak admin passwords make it easy for hackers to gain access to your backend. If you’re running WordPress, we highly recommend you install Jetpack if you haven’t already. This plugin will provide useful site stats, but will also help prevent malicious login attempts.

As well, make sure you use strong passwords. WordPress automatically creates strong passwords for new user accounts, but make sure any editors, writers, contributors or others who have password access to your WordPress site are also using strong passwords.

FTP and HTTP/HTTPS

When it comes to FTP and HTTP interception, avoid logging in to your site’s FTP over public wi-fi, and make sure any sites you visit or enter personal information into are using HTTPS instead of HTTP. Heed any warnings you might receive from Google or your personal antivirus software that warns of potentially malicious websites or links.

Additionally, if you haven’t done so, upgrade your site to use SSL encryption (HTTPS). Not only will this help your Google rankings, but SSL encryption helps prevent site hacking attempts.

Unfortunately, if you’re using managed services and not running your own web server for your website, you can’t do too much about poor server security. However, you may want to consider only using reputable web hosting companies. The same goes for web developers you contract with to work on your site. Not everyone is trustworthy, but you’ll want to make sure any developers or development companies you use have a good reputation and verified past work.

Infected plugins on WordPress or Joomla

If you’re operating and managing a website on your own or with a small team, your biggest concern will be cross-site scripting and infected plugins from your CMS.

Not all issues with your site will be because of viruses or other malware. In fact, if you suspect your site may be broken because of an infection or malware, there’s a good chance it’s actually broken because of an outdated plugin, or a conflict between two or more incompatible plugins. Nevertheless, malware-infected plugins do exist in abundance in many CMS environments, particularly in WordPress.

Ironically enough, there are numerous WordPress plugins out there designed to scan your other WordPress plugins for malware. We suspect many of these malware-scanning plugins carry viruses themselves. Simply put, don’t install an unvetted plugin designed to root out malware in other plugins. Only install verified, trusted, and updated plugins.

Script vulnerabilities

Scripts are often considered the backbone of the web and are part of what helps make websites interactive. They also allow different websites to interact with each other. However, that interactivity can also create vulnerabilities, particularly if the script itself is hijacked or designed with malicious intent.

A hijacked script can allow hackers to insert malicious code into one or multiple websites at the same time, so long as that vulnerability is known.

It’s quite possible that your site is running numerous scripts that give other sites partial access to your site and users. If those scripts are malicious or being used to serve malicious code to your website, you may not be able to do much about it until you figure out where the problem is and remove it.

Notably, even if your website is not hosting the malware, if the script is a known source of malicious attacks, Google may still tag your site as hosting malware and blacklist you.  

Infected tags

Your website may also contain tags which are serving up malware without your knowledge. A website tag is typically a piece of Javascript code held within its own container and is usually there to gather and send data. Tags are useful for ranking in Google, but can also be used maliciously.

The containers that hold these tags get scanned by Google, and, according to the company, a tag that points to a malicious website won’t fire (the tag won’t do what it’s intended to do). That can have deleterious effects on your website’s page ranking on Google, as malicious tags can insert unwanted URL and URL redirects, popup ads, browser search bars or side-search bars, and can significantly slow down page loading speeds (another page ranking factor).

If you’re using Google Tag Manager, you’ll get an email about infected tags, but even if you aren’t, your site can get flagged for malware and you may not know it until either a user warns you about some of the aforementioned problems (such as strong popups), or you find malware popping up in website malware scans.

See also: 8 Common types of malware explained