How do I clean up malicious code on my website?

My website was hacked last year. My IT cleaned it and run Wordfence, Sucuri and Sitelock which haven’t picked up any issues. Screaming Frog today found all the bad links (ie. found them from within my site, which suggests the malicious code must still be there somewhere). How can I clean up this problem? What kind of professional should I hire?? 

David Boss

David Boss

You can clean it up by checking the codes on each pages one by one.We can help you with that Contact us. Email :- or

Steve Krinks

Steve Krinks, Owner, Principal Consultant at Well Optimised

Hi Beata, I have referred a number of my clients over the past few years to Michael Colman at and he has sorted them out quickly. Hope that helps! Cheers

Simon Smith

Simon Smith at

Hello. Never host your website on an open source CMS platform where all your data and IP is shared amongst hundreds of other people. Always hire a programmer you can trust or keep to basics and make a simple HTML site. Stay away from people that reuse code and share others code. Cost vs risk I have seen is well not worth it.

Jef Lippiatt

Jef Lippiatt, Owner at Startup Chucktown

Top 10% Business Ideas

I would also say it depends on how you've (or someone else) built your website. If your website is built on something like Wordpress (or other Content Management System a.k.a. CMS) than usually there are plugins that you can install that will search through your code and ensure everything is cleaned up as needed.

Additionally there are other resources such as security scanning programs, antivirus programs and the like that can also be deployed on your website (may require some technical knowledge).

Lastly, if your website is completely custom built, ensure that the developers and programmers that are building it are following industry best practices, such as limiting input fields (if it is a phone number field don't allow alphabet characters, if it is a name field don't allow numbers, don't allow special characters ($, !, @, #, &, *, etc.) in any input other than a password field, ensure you are encrypting sensitive information fields (passwords, credit card info, medical data, etc.) and disallow cross-scripting (don't allow programming expressions).

Dean Salakas

Dean Salakas at

We are not a web developer but our website was hacked last year and malicious code added. It crippled our website as it was taken down but lucky we got a new type of insurance called cyber insurance to protect from such an event. We were actually attacked 5 times costing us over $30,000 and lucky the insurance covered it. Our developer and hosting company scanned the site for malicious code and removed it.In terms of how we cleaned it up I would have to get some input from my hosting company and developer however we basically contacted our hosting company when the website went down and ask them to restore it and resolve this issue which they did by running some diagnostic tools to find malicious code. My developer did the same and between them they were able to remove the malicious code. The important thing to note was we did both, my developer found the issue on my website but there were more things the malicious code had put in other dark corners of our server so the hosting company found those. The vulnerability was with word press and while we fixed the issue we decided it was too risky having our blog on the same server as our website given they could access our server via our blog which then gave the code access to our website so we put them on separate hosting environments.