Frequently Asked Questions

Website malware is malicious code that hackers inject into your website files or database. It can get there through outdated plugins or themes (the most common cause), weak passwords, vulnerable hosting, phishing your credentials, or via compromised third-party software. Once inside, malware can redirect visitors, steal data, display spam, mine cryptocurrency, or silently spread to other sites on the same server.

Common signs include: visitors being redirected to spam or gambling sites, Google showing a "This site may be hacked" warning, your hosting provider suspending your account, Google or antivirus blacklisting your site, unexpected admin users appearing, strange PHP files in your hosting, your website loading slowly or behaving oddly, and customers reporting suspicious pop-ups. You can also run our free scanner for a quick external check.

Yes — and this is why fast action is critical. Malware on your site can silently redirect visitors to dangerous pages, install viruses or spyware on their computers, show phishing pages that steal their login credentials, or display fraudulent content. Your reputation depends on keeping your visitors safe, and search engines actively punish sites that harm users.

It can sometimes be hard to tell, but here are reliable indicators of a hack versus a bug: a bug usually affects only one part of the site; malware often affects multiple pages or all visitors. A bug rarely causes Google warnings or hosting suspensions. If you see unfamiliar admin users, hidden files with encoded PHP, or pages you never created — that is almost certainly a hack. When in doubt, request a free quote and we will take a look.

Yes. We specialise in WordPress, OpenCart, and Joomla, but we handle any PHP-based website. This includes Magento, PrestaShop, Drupal, custom-built PHP sites, and others. If your site runs PHP and MySQL, we can clean it. For complex enterprise setups, contact us first and we will assess the scope.

Every order includes: a complete scan of all website files and database, removal of all malicious code and backdoors, restoration of core files from clean originals, database cleanup (injected links, redirects, encoded malware), security hardening (file permissions, config settings), removal from Google and major blacklists, a written cleanup report, and 7 days of follow-up support after cleanup.

The vast majority of sites are fully cleaned within 24 hours of order placement. For complex infections or heavily customised sites it may take up to 48 hours. We will always keep you updated by email. If your situation is time-critical (e.g. your eCommerce store is down), mention it in your order notes and we will prioritise your job.

You will receive an automated order confirmation immediately. Within 2 hours, one of our security engineers will email you with specific access instructions (usually FTP/SFTP credentials and hosting panel access). We then perform the cleanup, and once complete we send you a detailed report. The whole process is done while your site stays live — visitors are not affected during cleanup in most cases.

Yes. To clean files on your server we need FTP/SFTP access or cPanel/hosting panel access. We recommend creating a temporary FTP account with restricted access just for us, then changing it after cleanup. All our engineers sign a confidentiality agreement. We never store your credentials after the job is done. If you are uncomfortable sharing access, we can also provide a manual cleanup script you can run yourself, though the guided service is much more thorough.

In almost all cases, yes. We work directly on your files without taking your site offline. For very severe infections where critical files are corrupted, we may need to briefly take the site into maintenance mode (typically 15–30 minutes). We will always notify you before doing so.

We offer a 30-day re-infection guarantee. If malware returns within 30 days of our cleanup, we will clean it again free of charge, no questions asked. Reinfection usually happens if the original entry point (e.g. a vulnerable plugin) has not been fixed. Our post-cleanup report always includes specific recommendations to prevent this, and our 7-day support period is there to help you implement them.

Yes, hardening is included in every service. This includes setting correct file permissions, disabling file editing in WordPress, protecting sensitive config files, removing unused admin accounts, and recommending a security plugin. We also advise on updating plugins, themes, and CMS core files. For deeper hardening (WAF setup, 2FA, server-level rules), we can provide a separate security audit service.

Our standard prices are: WordPress — $49, OpenCart — $199, Joomla — $149, Custom / Other platform — $249. These are one-time flat fees — no subscription, no hidden charges. If your situation is complex (e.g. multiple infected sites, very large file systems, server-level infection), request a free quote and we will give you an accurate price upfront.

No. Every service is a one-time flat fee. You pay once, we clean your site. There is no monthly subscription, no retainer, and no surprise charges. We do offer optional ongoing security monitoring packages if you want ongoing protection, but these are entirely optional and separate from the cleanup.

We accept PayPal and all major credit/debit cards via Stripe (Visa, Mastercard, American Express, Discover). Payments are processed securely and never stored on our servers. Both payment options are available on the checkout page.

Absolutely. Card payments are handled by Stripe, one of the world's most trusted payment processors, and PayPal handles PayPal transactions. Neither we nor our servers ever see your full card number. All transactions are protected by SSL encryption.

If our team is genuinely unable to remove the malware from your site, we will issue a full refund. In practice, this is extremely rare — we have successfully cleaned thousands of sites. In the unlikely event of a complication we cannot resolve, we will communicate with you honestly before any refund decision is needed.

Yes. If you have more than one infected site, or you are an agency or developer managing multiple client sites, please contact us directly. We offer bulk pricing for multiple simultaneous cleanups and agency partnership rates for ongoing work.

WordPress powers over 40% of all websites on the internet, which makes it an attractive target for automated attacks. Most WordPress hacks do not target you personally — they use bots that scan millions of sites looking for outdated plugins, vulnerable themes, or weak passwords. A single unpatched plugin can expose thousands of sites simultaneously.

Yes — this is one of the most common forms of WordPress malware, called a redirect hack. Malicious code is injected into your .htaccess file, theme files, or WordPress core files that silently redirects visitors (often only mobile users, or only visitors arriving from Google) to spam, gambling, or phishing sites. This needs to be cleaned immediately as it harms your SEO ranking and visitor trust.

First, do not panic — this is fixable. You need to: (1) clean the malware from your site, (2) request a Google review to remove the "Dangerous Site" warning. We handle step 1 as part of our service, and we include guidance for submitting the Google Search Console review request in your cleanup report. Once Google confirms the site is clean, the warning is removed — usually within 1–3 days of the review submission.

You can, but backups have risks. Most hacks go undetected for weeks, so your backup may already contain the malware or the backdoor that allowed the hack. Restoring a compromised backup will often result in reinfection within hours. A professional cleanup removes both the malware and the entry point, and hardens the site to prevent the same attack from succeeding again.

A backdoor is a hidden piece of code that allows a hacker to re-enter your site even after you change passwords or install a security plugin. Backdoors are often disguised as legitimate WordPress files or hidden in image folders. Finding and removing ALL backdoors is the most critical part of any cleanup — simply deleting visible malware without finding backdoors will result in reinfection within days.

Potentially yes, and this is very serious. OpenCart stores are frequently targeted with credit card skimmers — JavaScript code that silently captures card details as customers check out and sends them to the hacker. If your store has been hacked, you should notify your payment processor immediately, review recent transactions for fraud, and consider notifying affected customers. Our OpenCart cleanup specifically targets and removes skimmers and all associated malicious code.

A Magecart or credit card skimmer is malicious JavaScript injected into your checkout page. It silently copies payment card data (card number, expiry, CVV) as customers type it in and sends it to the hacker's server. It is completely invisible to customers and does not affect the transaction — making it very hard to detect without a technical scan. These attacks have affected major retailers worldwide and are a serious legal and compliance issue for online stores.

Usually no. We clean files while the store is live. In cases where skimmer code is embedded in active checkout scripts, we may recommend a brief maintenance window (10–20 minutes) to replace affected files safely. We always coordinate the timing with you to minimise disruption.

Yes — our scanner performs real external checks on your URL. It queries the Google Safe Browsing API, which is the same database Chrome, Firefox, and Safari use to block dangerous sites. It also runs URL-level analysis checks for suspicious patterns. However, it is an external scan — it cannot access your server files directly. Think of it like checking if your site is flagged on known blacklists, rather than inspecting the code inside your server.

This is very common. Many malware infections are not yet in Google's database, especially new or targeted attacks. The free scanner checks external blacklists only — it cannot see hidden files, backdoors, obfuscated PHP, or database-injected malware. A "clean" result on the scanner does not mean your site is definitely clean. If you suspect a hack, request a manual inspection from our team — we will look at the actual server files.

No. Our free scanner makes no requests to your web server at all. It queries Google's Safe Browsing API and performs local URL analysis — both happen entirely on our side. Your server receives zero traffic from the scan. This is completely different from a deep server-side scan (which does access your files) but the deep scan only happens when you place an order, and even then it is done efficiently via FTP/SFTP, not by generating web traffic.

Google Safe Browsing is a service maintained by Google that maintains a constantly updated list of URLs known to host malware, phishing content, or unwanted software. It is built into Chrome, Firefox, and Safari — when you see a red warning page saying "Deceptive site ahead", that comes from Safe Browsing. If your site is listed there, it will be blocked for hundreds of millions of users. Our scanner checks this database directly via the official API.

You can scan any public URL. Some website owners use our scanner to check competitor or client sites, or to verify that a site they are about to visit is safe. However, the scanner is intended as a tool to help website owners check their own properties. Please do not use it to harass or probe sites you do not own or have permission to check.

The most important steps are: (1) Keep everything updated — WordPress core, plugins, themes, and PHP version. (2) Use strong, unique passwords for all accounts and enable two-factor authentication. (3) Delete unused plugins and themes. (4) Install a reputable security plugin (Wordfence, Sucuri, or similar). (5) Enable a Web Application Firewall (WAF). (6) Take regular automated backups stored off-site. (7) Limit login attempts. (8) Use a reputable, security-focused hosting provider. Our post-cleanup report includes specific recommendations tailored to your site.

Yes — always. Change your WordPress/CMS admin password, FTP/SFTP password, hosting control panel password, database password (and update wp-config.php or your config file to match), and any email accounts associated with the site. If you reuse passwords on other sites, change those too. Also revoke any active sessions and API keys that may have been compromised.

If your site collected any user data (especially payment data, emails, or passwords), and you have reason to believe it was accessed by the attacker, yes — you may have a legal obligation to notify affected users, depending on your country's data protection laws (GDPR in Europe, CCPA in California, etc.). Consult a legal advisor if you are unsure. For eCommerce sites with suspected card skimmers, contacting your payment processor immediately is essential.

For active websites that are updated regularly (new posts, orders, content), daily automated backups are recommended. For more static sites, weekly may be sufficient. Always store backups in at least two locations — one on your hosting and one external (e.g. Dropbox, Google Drive, a separate server). Test your backups occasionally by actually restoring a copy in a staging environment to make sure they work.

We recommend Wordfence (excellent free tier with firewall and scanner), Sucuri Security (great for post-hack hardening and CDN-based WAF), or Solid Security (iThemes) for beginners. The most important thing is to actually configure the plugin after installing it — many people install security plugins and leave them on default settings, which provides limited protection. Our cleanup report includes plugin setup recommendations.

Usually not, unless the hack resulted from a vulnerability in the hosting infrastructure itself (rare with reputable providers). In most cases, the vulnerability is in your website code — outdated plugins, weak passwords, or misconfigured files. That said, some shared hosting environments do allow cross-site contamination where one infected site spreads to others on the same server. If you are on shared hosting and repeatedly getting reinfected, consider moving to a managed VPS like Cloudways.

FixMalware is a team of certified web security professionals with specialisations in PHP security, CMS hardening, and malware analysis. Our engineers have experience cleaning thousands of sites across all major platforms. We do not outsource your job — every cleanup is handled directly by our in-house security team.

We understand this is a major concern. Here is how we protect you: we only request the minimum access needed (typically FTP/SFTP to specific directories), we recommend you create a temporary account just for us, all communications are over encrypted channels, we never retain credentials after job completion, and we have a clear privacy policy. You can also review what we do step by step before providing access. Our track record of thousands of successful cleanups and our published refund policy reflect our commitment to trustworthy service.

Yes — we offer a 100% malware removal guarantee. We will remove all malware from your site. If we cannot (which is extremely rare), you receive a full refund. We also offer a 30-day re-infection guarantee: if malware returns within 30 days of our cleanup and it is a result of the same original vulnerability, we clean it again for free.

You will receive a confirmation email immediately after ordering with a link to your order tracking page. You can also visit Track Order at any time and enter your order number and email address. We send automatic emails whenever your order status changes, so you are always in the loop.

You can reach our team via the contact form, by emailing us at [email protected], or by clicking the chat bubble in the bottom-right corner of any page to start a live chat. We respond to all enquiries within 24 hours, and typically reply on live chat within 5 minutes during business hours.

Yes. Click the chat bubble in the bottom-right corner of any FixMalware page to talk to our team in real time. Typical response time is under 5 minutes during business hours. Outside business hours, leave your message and email in the chat and you will receive a reply by email to the address you provide. For urgent infections, live chat is the fastest way to reach us.