If you have a website that’s been infected with Malware, the first thing to do is make sure there are no other websites that are on the same system user – if there are, move them to their own system user immediately.
Second, we recommend you completely disable your site and access it via a local host redirect while you clean it up. Taking it offline will ensure you don’t suffer any SEO penalties, and will keep your business and website visitors safe.
Here’s how to set up a local hosts redirect:
How can I edit my local hosts file to redirect URLs?
Next, make sure your computer’s antivirus/security software is up to date and then move the site/s to a local environment completely offline, and scan them there using a variety of scanners – including your antivirus, and any security plugins you can access – MalCare and Sucuri are excellent WordPress plugins for helping to scan and clean up malware.
Once your positive the website is clean, then move the site from local to its new server.