There are numerous website malware removal tools and services available that can scan your website, isolate the infection, and remove it for good. Most companies also offer blacklist removal from Google and other website blacklists. However, not every option is trustworthy, and some malware removal services could actually put your site at further risk of infection.
If you need to scan your website for malware or fix a hacked website immediately, these services provide both emergency malware removal services and ongoing website security to protect against infections.
8 best website malware removal tools and services
Of the many website malware removal tools and services on the market, the best options to consider include:
- SiteGuarding Best all-around service to fix hacked sites
- Sucuri Great for small budgets
- Site24x7 Website, network, and applications monitor with strong user behavior monitoring.
- Wordfence Best for WordPress websites
- SiteLock Partnered with multiple hosting companies
- Comodo cWatch Offers free website malware removal
- Quttera THREATSIGN! Low-cost malware removal for multiple platforms
- Malcare Offers high-quality, free scanning for WordPress
- GoDaddy Provides a low-cost website security option
When my professional website got infected with malware last year, I didn’t know until a visitor told me she was getting weird pop-ups after hitting my home page. I wasn’t able to replicate the issue myself, so I ignored it—until several other users told me they experienced the same thing. I only discovered the threat after performing a deeper-level malware scan on my site.
Thankfully, I avoided any serious problems, but if you believe your website was compromised and is serving up malware, the consequences could be significant. Google may put your website on its blacklist and remove your site from search results.
The most recent data however, shows that Google is mostly blacklisting phishing sites. Google’s Transparency Report, shows 2.195 million websites made its list of “Sites Deemed Dangerous by Safe Browsing” category, and over 2.1 million) were phishing sites.
Only 27,000 of Google’s removed sites were delisted because of malware.
The end result of your website staying live for an extended period while infected with malware could be even worse, you could damage the trust of your customers and lose their business for good. A PwC survey found that 87% of consumers are even willing to walk away and take their business elsewhere if, or when, a data breach occurs.
Because of the seriousness of website malware, we researched several dozen small and large malware removal services and then whittled our list down to seven trustworthy providers that can help repair hacked sites.
Criteria for a good website malware removal service
For website malware removal, you’ll want to opt for a service that meets most or all of the following criteria:
- Has a good reputation
- Offers scanning and removal at a reasonable cost
- Provides dedicated Content Management System (CMS) plugins/extensions (for example, for WordPress, Joomla, or Drupal)
- Can also work with multiple CMS and custom-coded sites
- Provides a free scanning tool or service
- Offers blacklist removal (Google at a minimum)
- Capable of removing multiple forms of website hacking and malware
- Offers multiple communication methods (phone, email, live chat)
- Provides continued site protection and support after restoration, which includes a web application firewall (WAF) as well as regularly-scheduled malware scanning and removal
Let’s explore each of these options in more detail below.
- SiteGuarding
Not to be confused with the similarly-named service (SiteGuard), SiteGuarding is a website security company that offers a litany of unique services and features that make it a standout among the other options on our list. The service maintains web security protection for a long list of CMSs and provides both regular malware removal and emergency malware removal for when your website suffers a major hack.
The company doesn’t boast an extensive name-branded client list like Wordfence or Sucuri. Still, most reviews from various review aggregation sites are overwhelmingly positive. It also provides plugins/extensions for half a dozen popular and lesser-used content management systems.
Notable features
The list of features you get through SiteGuarding depends on what you’re using the service for. If you’re signing up for malware removal (regular or emergency services), you’ll get virus cleaning and backdoor removal. The company promises to clean hacked websites within 24 hours. In fact, SiteGuarding advertises emergency malware removal in as little as 1–3 hours.
Unlike with most options on this list, malware removal is a one-time service with SiteGuarding instead of part of a subscription.
Alongside cleaning your site, the SiteGuarding malware removal service offers:
- Blacklist checking removal from multiple blacklists (Google, McAfee, Norton)
- Core files check on up to 10,000 WordPress and Joomla CMS files
- SQL injection prevention
- Analysis of website backups and server logs
- Website acceleration
- Installation of security plugins (Portal plan only)
- Website monitoring (Portal plan only)
The features you get will depend on which removal plan you purchase, with prices ranging from $49.95 to $200 USD for one site. Multisite malware removal will come with an additional cost.
SiteGuarding offers not just one, but five separate free website scanning tools. You can check your site against the company’s Outbound Link Scanner, Malware Scanner, Spam SEO Scanner, Blacklist Checker, and a Website Antivirus Scanner (requires installation onto your website as a PHP file). The company also offers a free security audit, which can be initiated over email or live chat.
The service’s free scanners are of questionable effectiveness, however, so we recommend using the free security audit instead.
Pricing
With SiteGuarding, you’ll be able to remove website malware using the following options:
- Malware Removal Only: $49.95
- High Priority Malware Removal: $109.95
You can also choose a package that offers malware removal, bug fixes, and more website security options:
- Blog Package: $100
- Standard Package: $125
- Business Package: $150
- Portal Package: $200
Note that blacklist removal does not come with the “Malware Removal Only” service. If you want blacklist removal, you’ll need to opt for one of the extended packages.
Here’s what each extended package includes:
Blog Package: Up to 1,000 core files checked for WordPress CMS, backdoor removal, SQL injection prevention, blacklist removal (Google only), and a 30-day guarantee.
Standard Package: Everything in the Blog Package, as well as up to 5,000 core files checked for WordPress and Joomla CMS, blacklist removal for Google, McAfee, and Norton, and security analysis on website backup server logs.
Business Package: Everything in the Standard Package, as well as up to 10,000 core files checked, website acceleration, and a 60-day guarantee.
Portal Package: Everything in the Business Package, as well as 10,000+ core files checked, security plugin installation as needed, three months of full website monitoring, and a 90-day guarantee.
If you’re looking to extend your security benefits, SiteGuarding offers website security plans similar to what’s available through the other companies on the list. Prices vary based on what you’re looking for and the number of sites you want to cover.
Prices start at $6.95 per month, with a $19.95 per month option that will remove malware from already-hacked websites, protect your site with a web application filter and other security measures, and offer unlimited malware removal and hack fixing at least once per month going forward.
Website malware removal score – 8.5 out of 9
Based on our criteria, SiteGuarding receives 8.5 out of 9 for its website malware removal tool and service.
Comprehensive security protection:SiteGuarding advertises emergency malware removal in as little as 1–3 hours. Prices start at $6.95 per month for a basic package.
Pros:
- Low cost for website hack repair and removal
- An extensive list of features and services
- Offers a separate emergency malware removal option
- Provides comprehensive security protection subscriptions that include malware removal
- Offers free security audits with methods to contact support
- Offers a long list of major and minor CMS plugins/extensions
Cons:
- Overcomplicated malware removal and website security options
- Free scanners of questionable effectiveness
- Emphasizes functionality with WordPress and Joomla over other CMSs
- Sucuri
Sucuri is a well-known website security company offering a wide range of malware scanning and website malware removal services. This option comes with a high level of trust and a top-notch reputation, especially for those who rely on WordPress. It’s trusted by a few popular WordPress development companies, including wpbeginner, iThemes, and Yoast, and several major universities (Northwestern, Duke, New York, and George Washington).
This is not a good option if you’re just looking for a short-term fix for a hacked website, however. Sucuri will perform emergency fixes for hacked websites, but only through an annual subscription. That said, if you plan to increase your website’s security following a hack removal, Sucuri is a great option for both the emergency hack fix and for continued site protection.
Sucuri is designed not just a malware removal tool, but also a website performance enhancer. As such, if you have to fix a hacked website, it will serve your purpose but will extend those benefits to include regular malware scanning, a high-powered Web Application Filter (WAF), virtual patching and hardening, DDoS mitigation, and more. And unlike SiteLock, all of Sucuri’s subscription options offer unlimited page scans, making it a preferable option for larger enterprise websites and affiliate sites with a lot of pages.
Securi offers a service level agreement to remove malware within a certain timeframe according to the plan you have. For Basic malware will be removed within 30 hours. For Pro this drops to within 12 hours. Business is faster still with malware removed within 6 hours.
Additional features include:
- Blacklist removal and reputation monitoring
- Stops zero-day malware
- Blocks hacks and brute-force attacks
- Provides an Intrusion Detection System (IDS)
- SSL monitoring
- File change detection
- Utilizes a heuristic correlation engine (machine learning tool used to detect malicious activity across the network)
Sucuri also offers a free, external website scanning tool. You can use this to see if your website currently carries any easily-detected malware, which is particularly beneficial if you believe your website was hacked and is now sending users popups, redirects, or other user-facing incidents.
(Note that Sucuri’s external scanning tool is not a perfect solution, however, and can quite easily miss deeper-level threats. It’s a good starting place, but if you suspect a serious hack exists that’s not showing up in the free scan, contact Sucuri immediately.)
The free tool not only scans for known external threats but also checks your site for blacklisting.
We found Sucuri’s free scanner will send back some false information about security threats at times. For example, the tool incorrectly states my professional website does not include a redirect from HTTP to HTTPS (untrue) and that there’s no web application firewall (also untrue).
The biggest downside to Sucuri is that it only offers annual subscription plans. If you’re just looking for an emergency website repair, you’ll be stuck with Sucuri for a year unless you utilize the 30-day money-back guarantee. That said, you’ll get a year of added protection against further threats, which may be worth it in the long run.
Unless you’re purchasing a custom plan for an enterprise with multiple websites, Sucuri offers three protection plans for most users:
- Basic: $199/year
- Pro: $299/year
- Business: $499/year
The main difference between these options is how frequently its tool scans for threats. Basic offers website malware scans and other security scans every 12 hours; Pro, every 6 hours; and Business, every 30 minutes. An additional limitation for Basic is that it doesn’t include SSL certification protection.
Website malware removal score – 8 out of 9
Based on our criteria, Sucuri receives 8 out of 9 for its website malware removal tool and service.
Lower cost than most competitors:Effectively removes malware and offers extended protection. Comes with a 30-day money-back guarantee so you can try it risk free.
Highly-respected company and service
Effectively removes malware and offers extended protection
Unlimited malware removal and hack fixes
CMS plugins/extensions for WordPress and Joomla
Offers blacklist removal and reputation
Provides free, external website malware scanning tool
Lower cost than most competitors
SLA to remove malware in specific timeframe
Only offers annual subscriptions
Only covers one website per subscription without an Enterprise plan
- Site24x7
Site24x7 has a distinct advantage to spot website security issues by being located outside the company network as a cloud service. The service looks at the delivery of websites and how visitors use them. Part of that activity includes identifying performance impairing interference and malware actions.
The Site24x7 strategy adopts a more contemporary delivery model, using a cloud platform rather than delivering software for installation. It also leaps ahead at looking at the vulnerabilities that hackers are exploiting today, rather than being dragged down by a traditional antivirus approach.
The big threat to websites is through all of the APIs and services that their coding now employs. The coding complexity of web pages creates opportunities for hackers. Site24x7 can scan these advanced programming threats and block them, so website visitors are protected.
The list of features each customer can access in Site24x7 depends on the selected package. The service is available for free, but that includes fewer features. Each of the four progressively more expensive paid editions includes more features.
The Site24x7 feature that is of most interest from a cybersecurity perspective is the Website Defacement system. This is the main website malware protection service in Site24x7 and it is one of the advanced features that subscribers are allowed to select from a menu of services.
The tasks performed by the Website Defacement Monitor include:
- Alerts to unauthorized addition or modification of HTML elements
- Monitoring for hacked links and other quality issues
- Identify changes in link sources
- Security infringement alerts
- Action to avert search engine results pages ranking downgrades
- Hijack mitigation
- Reputation protection and brand safeguards
The Website Defacement Monitor is available to subscribers of all paid editions of Site24x7.
Site24x7 is charged for on a subscription basis. Customers can choose to pay for the service monthly or annually. Those who pay yearly get a lower rate on a per month basis than those on a monthly payment plan.
The four paid editions of Site24x7 are:
- Starter: $108/year
- Pro: $420/year
- Classic: $1,068/year
- Enterprise: from $2,700/year
The difference between the plans lies in the number of services included in each. Advanced monitors available for selection with each edition are:
- Web transaction monitor
- Web page speed monitor
- Website defacement monitor
- Mail delivery monitor
- FTP monitor
- Application performance monitor
- Advanced Windows Apps – Microsoft SharePoint, BizTalk, Active Directory, Failover Cluster, Hyper-V, SQL and Exchange Monitoring,
The number of advanced monitors for selection that are included in the price increases with the price of each edition.
The inclusion in the four editions are:
Starter
- Monitor up to 10 websites/servers
- 1 advanced monitor
- 5 network interfaces
- 100K RUM pageviews
- Tests from more than 90 locations
- 50 SMS/Voice credits per month
- Multiple user accounts
- Third-party integration
- Standard support
Pro
- Monitor up to 40 websites/servers
- 3 advanced monitors
- 5 network interfaces
- 200K RUM pageviews
- Tests from more than 90 locations
- 150 SMS/Voice credits per month
- Multiple user accounts
- Third-party integration
- Premium support
Classic
- Monitor up to 100 websites/servers
- 5 advanced monitors
- 10 network interfaces
- 200K RUM pageviews
- Tests from more than 90 locations
- 250 SMS/voice credits per month
- Multiple user accounts
- Third-party integration
- Premium support
Enterprise
There are 3 variants of the Enterprise level subscription; Elite, Enterprise, and Enterprise plus Web.
Elite – $2,700 / year
Monitor up to 250 websites/servers
- 5MRUM Pageviews & 50 sites
- Tests from more than 110 locations
- 400 SMS/voice credits per month
- Multiple user accounts
- Third-party integration
- Premium support
Enterprise – $5,388 / year
Monitor up to 500 websites/servers
- 10MRUM Pageviews & 500 sites
- Tests from more than 110 locations
- 500 SMS/voice credits per month
- Multiple user accounts
- Third-party integration
- Premium support
Enterprise plus Web – $10,788
Monitor up to 2500 websites
- 5MRUM Pageviews & 50 sites
- Tests from more than 110 locations
- 1000 SMS/voice credits per month
- Multiple user accounts
- Third-party integration
- Premium support
Each plan can be augmented by extra features for a monthly fee. That is, a Standard plan can include more than one advanced feature, but will cost more.
Website malware removal score – 8.7 out of 9
Based on our criteria, Site24x7 receives 8.7 out of 9 for its website malware protection service.
Pros:
- Constant availability from a remote location
- Image, script, anchor, iframe, link, and text defacement checks
- Change integrity checks
- Advanced web content integrity check
- Intelligent baselining
- Constant performance monitoring from more than 90 locations
- Flexible pricing structure
- Free version
Cons:
- Top plan quite expensive
- Doesn’t include network security protection
Advanced Website defacement protection:SiteGuarding advertises emergency with early detection of security issues, scans entire web page for hacked links, identifies HTML changes, starting at $9/mo.
4. Wordfence
If your website is running on WordPress, Wordfence should be at the top of your list. Wordfence specializes in WordPress sites (as you may have guessed by the name). Despite some previous functionality with websites running on other CMSs, including Joomla and Drupal, its current focus is solely on providing security options for WordPress sites.
The Wordfence WordPress plugin has been downloaded over 100 million times, and its service has been referenced in major media outlets, including ArsTechnica, The Register, BleepingComputer, and Threatpost.
You can download Wordfence directly to your WordPress CMS as a plugin. The service offers real-time malware scanning, a firewall, and IP blacklisting. You’ll also get:
- Two-factor authentication for your site
- Country blacklisting
- 24/7 premium support
- Leaked password protection
- Live traffic monitor
- Core, theme, and plugin file repair
- Manual blocking
Additionally, Wordfence offers immediate, one-time website hack removal and website cleaning for $179. The emergency malware removal option offers:
- Malware removal and other website hack cleaning from an unlimited number of website pages
- Analysis of security flaws that caused the website infection
- Removal of malicious code and links from posts, comment sections, and website source code
- An in-depth report of the investigation and removal process and a checklist for future hack prevention
- Blacklist removal from over 20 search engines and anti-spam blacklisters, including Google, Bing, and Symantec
- One year of Wordfence Premium
If you want to check your website for free with Wordfence, you’ll need to install the WordPress Plugin, create a free account, and then scan your site from your Wordfence account.
Free scans will not offer malware cleaning for sites already infected with malware, however. If you want to fix a hacked site you’ll need to sign up for Premium or use the one-time website hack removal.
As mentioned, you have two options for Wordfence: emergency website hack removal or Wordfence Premium.
- Wordfence Free (limited functionality)
- Wordfence Premium: $99/year per website (Discount available for multiple site licenses)
- Emergency Website Hack Removal: $179 (includes one year of Wordfence Premium)
If you need hack removal, you’ll need to opt for the emergency website cleaning option. You can choose between Wordfence Free and Wordfence Premium, both of which are feature-rich. However, Wordfence Premium offers a larger benefit for high-traffic sites.
Wordfence Free: Offers endpoint security, malware signature updates (delayed 30 days in free version), web application firewall (WAF) support, malware scanning, file repair, checks for malicious links and comments, and a live traffic monitor, among other benefits.
Wordfence Premium: Everything that comes with the free version, but adds real-time firewall protection, two-factor authentication, checks for blacklisting of your website, and blocked requests from blacklisted IPs and countries.
If you have multiple websites and want to sign up to Wordfence Premium, you’ll need to purchase multiple licenses. Wordfence offers a discount if you purchase additional licenses, and additional discounts if you purchase multi-year subscriptions.
Website malware removal protection score – 7 out of 9
Based on our criteria, Wordfence receives a 7 out of 9 for its website malware removal tool and service.
5. SiteLock
SiteLock is one of the best-known website security companies on the market, offering multiple plans and a large number of features and services for those who need website malware removal. It’s also a viable option to consider for further site protection against outside threats. The service has been used by some household names across various industries, such as The Tennis Channel website, and partners with a few hosting companies (including HostGator and GoDaddy) to provide website security.
Highly-respected WordPress security tool
WordPress plugin
Low-cost subscription and emergency hack removal
Extensive features
Some free options
Free version available
Plugins/extensions available for multiples CMSs: WordPress, Joomla, Drupal, Magento, OpenCart, phpBB, and PrestaShop
Limited to no functionality for websites outside of the WordPress CMS
Limited contact and support options
SiteLock earns a passing score on most of our criteria for website malware removal. This service can scan for and remove malware in WordPress, Joomla, Drupal, and other open-source content management systems. For WordPress and Joomla, you can install a dedicated plugin/extension that will run backend malware scans and help determine if you have infected plugins, files, or other threats.
Outside of malware scanning and removal, SiteLock scans for:
- Infected or vulnerable applications
- Network port vulnerabilities
- External redirects
- SQL and XSS threats
- Spam
Malware removal service
SiteLock’s offers a standalone website malware removal service that automatically cleans malicious content from your website. If there’s a malware-related issue, depending on your scanning package and how your site was built, website malware will be removed automatically. The Malware removal service costs $9.99 / month for SiteLock Smart and $39.99 / month for SiteLock Infinity, with infinity scanner, data backup, and unlimited manual cleans.
There are three pricing tiers to choose from for the main SiteLock software that includes the malware removal service discussed above, plus automatic threat detection and a number of bundled features depending on the package you choose.
- SecureAlert: $14.99/month
- SecureStarter: $29.99/month
- SecureSite: $49.99/month
All three options perform automatic malware scanning and removal, but SiteLock only offers complete emergency website restoration, hack removal, and blacklist removal through SecureStarter or SecureSite.
SecureStarter limits emergency website repair and blacklist removal to one time, while SecureSite offers these services on an unlimited basis.
The key differences between these options are the number of pages that can be scanned, and the amount of additional protection you get outside of malware removal.
SecureStarter will scan up to 500 pages once per day.
SecureSite will scan up to 2,500 pages constantly. This option also provides automated WordPress, Joomla, and Drupal patching, database scanning, and database cleaning.
Website malware removal score – 7 out of 9
Based on our criteria, SiteLock receives 7 out of 9 for its website malware removal service.
6. Quttera THREATSIGN!
Quttera offers one of the most extensive options on the market as far as platform support is concerned. While the service provides the same amount of protection and removal features as some of the top competitors, it also works on a larger number of website platforms than most other options on the list.
Fast and trustworthy website malware removal and hack repair
Blacklist removal
Daily scans and regular malware removal after hack repairs
WordPress and Joomla plugins/extensions
Pricier than most competitors
SecureSpeed option only includes one hack repair and blacklist removal. Using SiteLock for repeat hacks can be expensive
Requires monthly or yearly subscription to remove malware and repair a hacked site
An extremely limited number of page scans compared to other services
Quttera is a notable option to consider for those who may not be using the ever-popular WordPress CMS but instead opt for alternative platforms like Drupal, Joomla, SharePoint, Magento, and others.
Quttera’s service for website malware removal provides a few key tools websites may need, including:
- Detailed reporting
- External link detection
- Detection of PHP-based threats, including PHP malware and PHP shells
- Unknown malware detection
- Emergency website hack fixing
- Blacklist monitoring for Google, Yahoo, and Bing
- No page limit for scanning
- Proprietary malware scanning tool
- Uptime monitoring
There are no free options with Quttera. However, the service does offer a limited basic website malware scanning and removal tool for a low price ($10/month). There are a few other subscription options as well that offer a more inclusive removal and protection package.
Quttera’s Business plan provides a full suite of features, including:
- Response time within 8 hours
- Server-side malware scanning
- Unlimited malware removal and hack repair
- Manual malware removal
- Full website auditing
- Google, Yahoo, and McAfee blacklist removal
- Web-based dashboard
- External malware scanning
- Web Application Firewall (WAF)
- Virtual patching and website hardening
- SSL certificate support
You can find a free option of Quttera’s tools if you look hard enough. For example, there’s a free WordPress plugin that provides free malware scanning and limited removal features.
For a small example of Quttera’s service, you can use its external malware scanning tool for free, as well.
There are 5 subscription options available for Quttera THREATSIGN!:
- Emergency: $249/year
- Basic Subscription: $10/month
- Economy Subscription: $149/year
- Business Subscription: $179/year
- Professional Subscription: $599/year
The Basic subscription covers 1 website and offers automated website malware removal, continuous scanning, and WAF, virtual patching and an initial response time within 12 hours. And oddly, the Economy subscription offers everything but a WAF and virtual patching.
You’ll find the best coverage through the Emergency or Business subscriptions for 1 site, or the Professional option for up to 5 sites. The key differences at that level are the initial response times and external malware scanning frequency. Choose Emergency if you need faster scanning and response, as there is an initial resposne time of 4 hours.
All plans have scan at least once per day, and up to every 30 minutes through the Emergency subscription.
Based on our criteria, Quttera THREATSIGN! receives an 8out of 9 for its website malware removal tool and service.
7. Comodo cWatch
Comodo’s cWatch is one of the only free website malware removal options on the market, making it one that’s a bit hard to pass up if you’re looking for a quick fix. cWatch makes big promises, including the promise to remove website malware within 30 minutes, even through the free option.
Lower-cost than more well-known competitors
Wide website platform support
WordPress plugin available
Removal from multiple website blacklists
Noted limitations with Basic and Economy subscriptions
Less reputable service with many complaints related to false positives
The service was formerly called Web Inspector, but cWatch informed us that all Web Inspector operations are now being forwarded over to cWatch.
Comodo advertises a range of malware scanning and removal features. For those who want to keep the protection going after fixing a hacked site, there are numerous protection options designed to ensure your website is protected against future threats.
cWatch offers “incident management and remediation” (its term for malware removal for a hacked website). For those who sign up for the monthly subscription option, cWatch offers anomaly detection, checks for unpatched vulnerabilities, and offers an extensive WAF.
- Checks for correlations between repeat events
- Automatic incident alerts
- SEO poisoning recovery
- Persistent threat detection
- CDN threat management and performance enhancement
While cWatch technically doesn’t offer a free scan, you can still use the free Web Inspector external malware scanning tool. As stated, Web Inspector is technically expired, but Comodo has yet to disable either the Web Inspector website or the free scanning tool.
You can use the malware scanner to determine if your website is blacklisted due to malware, whether your CMS has any threats that can be identified from an external scan, and whether there are any content and HTTP security threats on your website.
You can fix website hacks with cWatch using three different options:
- Basic: Free
- Pro/Complete Protection: $7.92 / month
- Premium/Advanced Protection: $19.92 / month
Comodo is one of the only options on the market that offers free website malware removal. There are some limitations to the free removal option, of course, which includes limited tech support, no WAF, no ongoing monitoring following the malware removal, and importantly, no website blacklist removal.
The Pro/Complete Protection and the Premium/Advanced Protection options differ primarily in how much hands-on assistance you’ll receive from Comodo. The primary difference between the two is that the Premium plan offers a dedicated CSOC analyst you can contact at any time, more control of your firewall rules, and reverse malware engineering. You’ll also get scans every six hours with Premium, versus every 12 hours with Pro/Advanced Protection. Both versions offer unlimited hack repairs.
Based on our criteria, Comodo cWatch receives 7 out of 9 for its website malware removal tool and service.
8. Malcare
It’s probably best to think of Malcare as a direct Wordfence competitor. Designed specifically for websites running the WordPress CMS, Malcare offers a plugin and service that will fix hacked WordPress sites and maintain continuous protection.
Free website malware removal option
Low cost extended malware scanning and protection plans
Fast customer service response
Blacklist removal with paid options
Extensive WAF with paid options
Hands-on support with Premium plan
Less reputable and less commonly recommended by top-level sites and services
No website blacklist removal with the free option
No WordPress or Joomla plugins
While servicing only WordPress sites is certainly a limitation, Malcare has been used and is trusted by some fairly big names, including Yoast, Adobe, and Intel. The company currently boasts of having 20,000+ sites covered by its service.
If you just need emergency malware removal, Malcare offers a one-time hacked website fix that includes:
- Malware scanning and removal
- Dedicated security analyst review
- A detailed report on findings and actions taken
- WordPress hardening
- Login protection
Those who need added protection may want to consider the subscription-based option. Malcare provides a long list of features here, to include fast and automated malware removal, daily scanning, and a user-friendly dashboard with extensive site stats.
The subscription-based website security service also offers:
- A comprehensive WAF
- Protection from known vulnerabilities
- Website hardening, including updated security keys
- Automatically disable unwarranted plugin installations
- Prevent file editing
- Alerts for suspicious logins
- CAPTCHA logins
- IP blocking
- Automatic implementation of other WordPress-recommended security recommendations
Unfortunately, Malcare doesn’t appear to offer blacklist removal from Google or other blacklisting sites, neither in its emergency malware removal service or its subscription-based website protection plans.
Finally, there’s a free scanning tool available from Malcare. You’ll need to install the Malcare plugin to your WordPress site in order to perform the scan.
Malcare offers three security packages, as well as a (rather pricey) emergency malware cleanup service.
- Emergency Malware Removal: $249
- Basic Subscription: $99/year
- Small Business: $259/year
- Developers: $599/year
- Custom: For more than 20 sites you can reqiest a custom quote
The service makes a rather bold promise: If it fails to remove your website malware, the company will refund you three times the amount you paid for removal.
Website malware removal score – 6.5 out of 9
Based on our criteria, Malcare receives 6.5 out of 9 for its website malware removal tool and service.
9. GoDaddy
GoDaddy became a household name in the early 2000s thanks to its rather scandalous TV advertisements. The company has since moved on and is one of the most-used website hosting companies in the world. It now offers other website services, including emergency malware removal.
Effective free malware scanner
Low-cost website protection and malware scanning
Well-respected and trusted service
High-quality WordPress plugin
No website blacklist removal
Expensive emergency malware removal service
Only works with WordPress
GoDaddy doesn’t offer many details about how its Express Malware Removal service works. The company promises its technicians will get started reviewing your site’s security and infection status within 30 minutes but doesn’t tell you how long full malware removal will take.
Beyond that, GoDaddy states the service comes with:
- Continued protection for one year
- A web application firewall (WAF)
- Removal of any other malware during your year-long subscription
- Google blacklist removal
- Malware scanning alerts
- Functionality with almost any CMS and custom-coded site
- 24/7 customer service
There’s no free scanning tool or free audit with GoDaddy. You’ll need to purchase the Express Malware Removal service in order to scan your website for malware and other threats if you opt for this service.
GoDaddy offers just one website malware removal option:
- Express Malware Removal: $299.99/year
The company will auto-renew this service for $299.99 per year, so we recommend canceling it before the year is up to avoid being charged.
We recommend canceling after your yearlong malware removal subscription because the company also offers a Website Security subscription plan for $5.59 per year. This service is advertised to stop hacks before they happen, but can be used to remove malware infections if they do occur. However, GoDaddy will only let you sign up to it prior to a website hack and not after.
As such, removing website hacks with GoDaddy can be very expensive if you’re acting after the fact, but if you pre-emptively sign-up to its subscription-based website security service and get a hack afterward, malware removal is inexpensive.
There are three subscription options under GoDaddy’s Website Security service:
- Essential: $5.99/year
- Deluxe: $15.99/year
- Ultimate: $23.99/year
Essential: Offers a 12-hour response time, Google blacklist monitoring and removal, and unlimited malware removal and hack repair.
Deluxe: Provides all of the above, plus WAF malware prevention, CDN performance accelerator, and DDoS mitigation.
Ultimate: Offers everything from Deluxe, but with a six-hour response time and website backup and restoration.
Based on our criteria, GoDaddy receives 6.5 out of 9 for its website malware removal service.
What to do if your website is infected with malware
To remove website malware and recover from a website hack, you’ll need to do the following:
Well-known service
Offers emergency malware removal
Provides blacklist removal
Works with most CMS and custom-coded sites
Multiple forms of support contacts
No dedicated CMS plugins
Expensive for emergency malware removal
No free site scanning options
Mixed reputation despite the well-known name
Below, we’ll lay out everything you need to understand about why your website may have been infected, how to scan a website for malware, and what you can do to prevent future website infections.
- Perform an official scan of your website to assess the problem
- Isolate where the issues are on your website
- Remove the malware using dedicated malware removal tools or services
- Perform backups of pages and files if necessary
- Improve website security to protect against further infections
- Alert your website’s users if the malware stole user data
- Alert your local authorities or the FTC if a data breach occurred that resulted in compromised consumer data
- Check to see if your website’s SEO rankings were negatively impacted
- If necessary, request to be removed from domain blacklists
How did my website get infected?
As of January 2021, Google detected around 600-800 malware-infected sites per week. Meanwhile, over 70 percent of websites contain critical vulnerabilities. For most websites, and especially smaller sites without hefty enterprise security budgets, it’s less an issue of “if” your website will get infected or hacked, but “when.”
There are several common ways a website can get infected:
- SEO spam malware (spamdexing)
- Defacement
- Website misconfiguration
- You or your web developer installed infected files onto the website (usually in the form of plugins or templates in your CMS, such as WordPress or Joomla!)
- The exploitation of vulnerable scripts on your site through the use of cross-site scripting (XSS) attacks
- Brute-force attacks from weak passwords
- FTP or HTTP interception
- Poor server security (often out of your control if you’re using managed services)
- Backdoors left from unscrupulous web developers
Multiple other threat vectors exist as well. However, regardless of how a website gets infected, contending with website malware can be a challenge. If even one page on your website gets infected or hacked, your Google page rankings could go crashing to the ground, significantly and negatively impacting your SEO ROI.
Google and other companies are also known to blacklist virus-infected websites, and a particularly bad infection can even cause Google to remove your website from its search results altogether.
How do I scan a hacked website?
There are three ways to scan a hacked website for malware:
- Use a free website malware scanning tool
- Install a plugin on your CMS to scan for backend malware
- Use a service that provides free or paid website malware scanning
From there, you’ll need to determine if there’s a problem that needs immediate resolution. If no scans find a problem, you’re likely not infected. However, note that free, external scans can be faulty, so if you’re still getting reports from website users about issues like popups and redirects, it’s best to pay for a more extensive internal scan.
How do I fix a hacked website?
Different tools and services exist to make the removal of malware from a website much simpler. Some tools can be installed directly onto your Content Management System (CMS) (such as WordPress or Joomla) if you’re using one. Others operate as server-site endpoint security.
Services that clear up these website malware infections for you may employ security professionals to fix the problem, and then set up a software solution to help prevent further infections. Others will rely solely on automated software to do the brunt of the work and only deploy security professionals in unique cases.
As Sucuri notes, website owners can do this themselves, but unless you’re a skilled programmer, you’re unlikely to know what to look for and may not know how to fix the problem if you do find something. A DIY approach can also be costly in terms of how much time you put into trying to fix it yourself.
We recommend you utilize a professional service to locate and remove malware from your website. Using a trusted managed service can help prevent any serious consequences related to deleting the wrong files, and missing important or critical security flaws and infections.
Common website security weaknesses
If you’ve recovered from a website hack, your next step is going to be to shore up your website’s weak spots. Here are a few areas to consider to help avoid getting additional website malware.
Password protection
Weak admin passwords make it easy for hackers to gain access to your backend. If you’re running WordPress, we highly recommend you install Jetpack if you haven’t already. This plugin will provide useful site stats, but will also help prevent malicious login attempts.
As well, make sure you use strong passwords. WordPress automatically creates strong passwords for new user accounts, but make sure any editors, writers, contributors or others who have password access to your WordPress site are also using strong passwords.
FTP and HTTP/HTTPS
When it comes to FTP and HTTP interception, avoid logging in to your site’s FTP over public wifi, and make sure any sites you visit or enter personal information into are using HTTPS instead of HTTP. Heed any warnings you might receive from Google or your personal antivirus software that warns of potentially malicious websites or links.
Additionally, if you haven’t done so, upgrade your site to use SSL encryption (HTTPS). Not only will this help your Google rankings, but SSL encryption helps prevent site hacking attempts.
Unfortunately, if you’re using managed services and not running your own web server for your website, you can’t do too much about poor server security. However, you may want to consider only using reputable web hosting companies. The same goes for web developers you contract with to work on your site. Not everyone is trustworthy, but you’ll want to make sure any developers or development companies you use have a good reputation and verified past work.
Infected plugins on WordPress or Joomla
If you’re operating and managing a website on your own or with a small team, your biggest concern will be cross-site scripting and infected plugins from your CMS.
Not all issues with your site will be because of viruses or other malware. In fact, if you suspect your site may be broken because of an infection or malware, there’s a good chance it’s actually broken because of an outdated plugin, or a conflict between two or more incompatible plugins. Nevertheless, malware-infected plugins do exist in abundance in many CMS environments, particularly in WordPress.
Ironically enough, there are numerous WordPress plugins out there designed to scan your other WordPress plugins for malware. We suspect many of these malware-scanning plugins carry viruses themselves. Simply put, don’t install an unvetted plugin designed to root out malware in other plugins. Only install verified, trusted, and updated plugins.
Script vulnerabilities
Scripts are often considered the backbone of the web and are part of what helps make websites interactive. They also allow different websites to interact with each other. However, that interactivity can also create vulnerabilities, particularly if the script itself is hijacked or designed with malicious intent.
A hijacked script can allow hackers to insert malicious code into one or multiple websites at the same time, so long as that vulnerability is known.
It’s quite possible that your site is running numerous scripts that give other sites partial access to your site and users. If those scripts are malicious or being used to serve malicious code to your website, you may not be able to do much about it until you figure out where the problem is and remove it.
Notably, even if your website is not hosting the malware, if the script is a known source of malicious attacks, Google may still tag your site as hosting malware and blacklist you.
Infected tags
Your website may also contain tags which are serving up malware without your knowledge. A website tag is typically a piece of Javascript code held within its own container and is usually there to gather and send data. Tags are useful for ranking in Google, but can also be used maliciously.
The containers that hold these tags get scanned by Google, and, according to the company, a tag that points to a malicious website won’t fire (the tag won’t do what it’s intended to do). That can have deleterious effects on your website’s page ranking on Google, as malicious tags can insert unwanted URL and URL redirects, popup ads, browser search bars or side-search bars, and can significantly slow down page loading speeds (another page ranking factor).
If you’re using Google Tag Manager, you’ll get an email about infected tags, but even if you aren’t, your site can get flagged for malware and you may not know it until either a user warns you about some of the aforementioned problems (such as strong popups), or you find malware popping up in website malware scans.
See also: 8 Common types of malware explained