How do I clean up malicious code on my website?
My website was hacked last year. My IT cleaned it and run Wordfence, Sucuri and Sitelock which haven’t picked up any issues. Screaming Frog today found all the bad links (ie. found them from within my site, which suggests the malicious code must still be there somewhere). How can I clean up this problem? What kind of professional should I hire??
We are not a web developer but our website www.ThePartyPeople.com.au was hacked last year and malicious code added. It crippled our website as it was taken down but lucky we got a new type of insurance called cyber insurance to protect from such an event. We were actually attacked 5 times costing us over $30,000 and lucky the insurance covered it. Our developer and hosting company scanned the site for malicious code and removed it.In terms of how we cleaned it up I would have to get some input from my hosting company and developer however we basically contacted our hosting company when the website went down and ask them to restore it and resolve this issue which they did by running some diagnostic tools to find malicious code. My developer did the same and between them they were able to remove the malicious code. The important thing to note was we did both, my developer found the issue on my website but there were more things the malicious code had put in other dark corners of our server so the hosting company found those. The vulnerability was with word press and while we fixed the issue we decided it was too risky having our blog on the same server as our website given they could access our server via our blog which then gave the code access to our website so we put them on separate hosting environments.
Jef Lippiatt Owner at Startup Chucktown
I would also say it depends on how you've (or someone else) built your website. If your website is built on something like Wordpress (or other Content Management System a.k.a. CMS) than usually there are plugins that you can install that will search through your code and ensure everything is cleaned up as needed.
Additionally there are other resources such as security scanning programs, antivirus programs and the like that can also be deployed on your website (may require some technical knowledge).
Lastly, if your website is completely custom built, ensure that the developers and programmers that are building it are following industry best practices, such as limiting input fields (if it is a phone number field don't allow alphabet characters, if it is a name field don't allow numbers, don't allow special characters ($, !, @, #, &, *, etc.) in any input other than a password field, ensure you are encrypting sensitive information fields (passwords, credit card info, medical data, etc.) and disallow cross-scripting (don't allow programming expressions).