Identify how and when the site was hacked:
- Check if any third party plugins and themes need updating, and if any vulnerabilities have been reported.
Search plugin vulnerabilities on wordfence.com - Check for modified core files and look up suspicious filenames or code. (You can use Sucuri to find new or modified files in core. Wordfence was not as good for this, it did not find a test php file I placed in core.)
- Run a database scan. ([GOTMLS (https://wordpress.org/plugins/gotmls/)] has a "database injections" option.)
- Look at logs (Check email logs for suspicious emails, look at Wordfence logs if it hasn't been removed...)
- Check if the site is on Google's blocklist.
- Log everyone out (reset keys in wp-config.php)
- Reset administrator passwords.
- Remove suspicious users (unknown admins, weird usernames created after hack date...)
- Update hosting credentials.
- Update database credentials.
Delete unknown files in core, restore modified files.
Update all third party themes and plugins.
Compare to reference.
Scan entries and look especially closely at entries from after the hack date.
Download a fresh Wordpress install.
Go through third party plugins and themes. For each, check:
- Is it actually being used?
- When did the last update come out?
- How many active users does it have?
Assess each plugin's safety, then reinstall based on the assessment.
Reinstall after comparing to reference.
- Identify the tables you want to migrate, and scan them for malware patterns.
- Remove any suspicious or spam data.
- Migrate tables to new install.
- Identify how suspicious data ended up there and take steps to prevent it happening in the future.
Set up regular backups with hosting service.
Set plugins to auto-update if possible.
Configure firewall, core file scan and database scan. There are a bunch of plugins that do this but none of them do all three for free. Here's the ones I use: