Can websites be hacked?1) Cloudflare is awesome , not just from a security point of view but also for performance .
2) The best safeguard against sql injection is to use prepared statements : Prepared statements and stored procedures
3) If the SQL injection happened , the hacker would have either messed with your tables/database (dropped tables/db or flood it with junk values) or if it contains sensitive data they might have just copied it . If you stored passwords in the db , change how you hashed them and salt the passwords. Also , you might want to consider changing all the passwords and mailing the users new ones. This would cause discomfort but would save from unauthorized use by the hacker.
4) I believe there are a number of open source security checkers out there .Each one with different levels of complexity and magnitude . However , almost all are known to raise false alarms .
5) PHP globals are variables that are defined outside of any function, has a global scope.Global variables can be accessed from any part of the script, EXCEPT from within a function. They tend to pose a security risk . Ideally you should turn them off , How can I disable PHP global variables?
6) Keep all files off limits with 660 except the ones where your server needs to write during runtime (these might be external libraries,image folders etc.)
Also , mention what kind of websites are these ? Static content based catalogue websites or dynamic websites with a little to a lot of functionality ? I might be able to suggest more measures.