Welcome to the Q&A Forum

I'm afraid there's no easy answer. The security side is beyond the scope of Q&A (it's just too dependent on your platform/host/etc.), but locking that down is definitely the biggest and first step. Obviously, though, you can't stop third-party sites from getting hacked. Disavow can be done at the domain level. There are some oddities, like Wordpress.com (where sub-domains act more like stand-alone domains), but for most sites, if most links are malicious, lock down the entire incoming domain. Make sure your core links are clean. If you have a solid base of links, and you're not dealing with a lot of quality issues, it's tough for these kinds of hacked links to cause as much harm. Google knows this happens. Unfortunately, if your core link profile is a mess or week, then it's a lot easier to take damage. So, this is a battle on two fronts - stop the attack and, at the same time, clean up your core link profile and strengthen it as best you can. There are a lot of link removal tools now, but honestly, they're a starting point. You need to dig in and evaluate what they give you, so that you're not taking out links that are potentially good. Right now, this is a labor-intensive process, I'm afraid.

Hey guys, thanks for the responses. Appreciate it. I shall instruct my developer to put it in a JS file instead of having it on the