No more website malware… now what?

If you’re reading this page, good job being proactive about website reinfection. While no one can promise the risk will be zero, we can work together to ensure that it’s as low as possible.

Clean My Site

Make the right choice for website malware removal

Experienced security analysts

Our dedicated researchers monitor active malware campaigns. With a trained team of analysts, we aim to provide the best malware removal service around.

Automatic and manual cleanups

We use scripts and tools to quickly scan your website for malware. Our analysts check your site manually too. No hack is too complex for our incident response team.

90 k+

Sites Hacked
Every Day

10 k+

Sites Blocklisted
Every Day

4-12 hrs

Website Scan

100 %


Steps to take after your website is clean:


Update your websites

If you’re not using the current version of a CMS like WordPress or Joomla, take a minute to update your site. Out-of-date software is one of the leading causes of infections today. This includes your CMS version, plugins, themes, and any other extension or module you have installed.


Change your password for all access points

This includes FTP, SFTP (or SSH), CPANEL, etc. Choose a password built around three core components – complexity, length and uniqueness. A usual complaint when it comes to passwords is they’re too difficult to remember. This is true. It’s also why password managers were created.

Password Tip: Start using a password manager (1Password and LastPass are good ones).

We can’t stress the importance of changing all passwords including those for FTP/SFTP, cPanel, and your database. Your website has various access points, and attackers understand this. If an attacker wants access to a site, they will exploit every possible point of entry.

At a minimum, be sure to update the password for all administrator logins. Often, users will create additional administrators and only update their primary one, but forget about the rest.

If you’re using a CMS, change your database password.

Please be sure to update your configuration file – configuration.php for Joomla and wp-config.php for WordPress.

This isn’t an automated process, so you need to know how to open these files and edit them manually. If you’re not familiar with handling changes to your database configuration files, contact your host first.

If you don’t know how to change your passwords (specified above), contact your hosting company for details.


Run a virus scan on your personal computer

In a lot of cases, we see websites become compromised from a contaminated local device (notebooks, desktops, tablets, etc.). This is why we always ask you to take a moment to run a local antivirus product.

If you’re okay with spending a little money, BitDefender is leading the pack in malware detection on Mac and PC. Other alternatives include Kaspersky for both Windows and Mac, and Sophos and F-Secure for Windows. You can also try Avast, MSE, or Spybot which are free alternatives and highly rated.

If your device is not clean, your site can get reinfected easily.


Start backing up your website

A critical element of website security is ensuring you have a proper backup strategy. Backups function as your safety net and, depending on the platform you are using, you may have several options.

We offer backups to ensure you have a secure and easy to use system. It just requires a simple configuration with your FTP/SFTP credentials and backs up all of your content and database to the cloud.


Use the Sucuri Security WordPress plugin

Whether you’re a Sucuri client or not, we recommend leveraging our free WordPress security plugin if you’re using WordPress for your website. We have detailed installation instructions and provide a more in depth discussion on our WordPress Security guide.


Separate your servers

Too often the issues we see plaguing our clients are caused by “soup kitchen” servers, orold installations of content management systems, themes or plugins. Over time, these old installs are forgotten and ripen with malware that’s ready to infest the entire server after every cleanup. Take a minute to separate those installs that belong on a test, staging or production server.


Remove old backups from the server

Outdated and unmaintained copies of your website in folders can leave your site vulnerable to malicious activity, especially when they are in common folder names such as /old or /backup. You will want to remove these files, but if you need to keep a copy, be sure to download them first.


Configure your website firewall

Every day, there are a growing number of software vulnerabilities exploited by attackers. Trying to keep ahead of these can be very challenging for even the best system administrators and developers. It’s impractical to think that everyday website owners can stay current with the latest threats or have the time to devote to it. That is why website owners should look into implementing an enterprise-grade firewall on their website.

It will function as both intrusion detection and prevention systems for all your website traffic. Those who purchased the Sucuri Website Security Platform have the option to enable the firewall in their account. For those who are not already customers or who purchased service prior to February 2015, you too have the option to enable a firewall via the Sucuri product line.

Let’s face it, when you created your website, you were hoping it was going to be easy,and you weren’t interested in security. It’s time to consider a website firewall to help keep your visitors safe and hackers out.


Use the Sucuri server-side scanner

Using our server-side scanner will ensure that all files on your website are monitored daily. It will alert you if it finds any suspicious files or unexpected modifications.

Your own security team to depend on!

99% Support Ticket Satisfaction
20,000+ Sites Cleaned Monthly