If you get the dreaded notification from either your hosting company or worse still Google don’t panic. Often hacked sites can be cleaned quite quickly and you’re back online in no time.
The first thing to do is identify what the malicious code is. Your hosting company could assist with running some scans at their end (depending upon how good a host they are). Ask them if any other sites have been infected to see if that’s where your site was infected.
You could also run your site against an online security scanner such as Securi.
Once you know what the infection, you need to identify how to remove it. Often Google can supply the answer if it’s a commonly known infection.
Hopefully you’ve got a number of offsite backups of your website which you can rely on to go back to a version which doesn’t contain the virus / malicious code.
Ask your web developer to re-instate a copy of your backups to another server to ensure it doesn’t have the malicious code. Then have them re-instate your live site using this backup and monitor closely for risk of re-infection, particularly if your website is on shared hosting.
Once you’re back up and running you need to run through the potential causes of how your website was infected.
Was your site compromised by someone logging in and installing the virus? If so, change your passwords. Was an old plugin to blame? Keep the plugins updated, and keep an eye for ones that stop getting updated as this suggests they’ve been abandoned by the author.
Is the core version of WordPress up to date? Is your theme up to date?
Ask your web host how many other sites are sharing the same installation? Could it be worth moving to a slightly more expensive plan to minimise this risk in the future.