If your website has already been compromised, you need to run a scanner to remove the malware from your site and its database. If your site is a WordPress installation, you can use the free scanners from Wordfence or Ninja Firewall, they both are very good.
Also, if your website has been compromised, you need to change password and enable 2FA where applicable on your:
- OS (Windows/MacOS/Linux) used to access the website admin area
- email accounts (this is the most important, and most often neglected)
- hosting provider account, including cPanel if a different password
- website admin account
- SFTP account (please stop using the non-secure FTP)
Also, do not forget to change the “salts” in your wp-config.php file, as even after a password change, a hacker can still access it for a couple weeks if you do not change them. You can use a plugin like Salt Shaker if you are not comfortable editing wp.config.php.
You should also consider creating an Access Policy for the admin area of your website. It’s free for up to 5 users per month, $3 per user/month thereafter.