How to Clean a Hacked WordPress Site using Wordfence - Wordfence

How to clean your hacked WordPress site with Wordfence:
Now that you have some powerful tools in your arsenal and you’ve already done some basic cleaning, lets launch Wordfence and run a full scan to clean your site. This step is important because Wordfence does some very advanced searching for infections. For example:

We know what all WordPress core files, and open source themes and plugins should look like so we can tell if one of your source files are infected even if it’s a new infection that no one has ever seen before.
We search using complex regular expressions for infection signatures and our database of known infections is continually updated. You can’t do this with simple unix command line tools or CPanel.
We search for malware URLs using the Google Safe Browsing list.
We use many other data sources like SpamHaus to find malware and infections on your system.
How to clean your hacked site using Wordfence:

Upgrade your site to the newest version of WordPress.
Upgrade all your themes and plugins to their newest versions.
Change all passwords on the site, especially admin passwords.
Make another backup and store it separately to the backup we recommended you make above. Now you have an infected site but that site is running the newest version of everything. If you break anything while cleaning your site using Wordfence you can go back to this backup and you don’t have to retrace all the steps above.
Go to the Wordfence options page and make sure that under the “Scans to include” heading, absolutely everything is selected including the option to scan files outside your WordPress installation. If the scan takes too long or does not complete, you can deselect this last option and also disable “high sensitivity” scanning and “image file” scanning. Then try again.
When the results come up you may see a very long list of infected files. Take your time and slowly work through the list.
Examine any suspicious files and either edit those files by hand to clean them or delete the file. Remember that you can’t undo deletions. But as long as you took the backup we recommended above, you can always restore the file if you delete the wrong thing.
Look at any changed core, theme and plugin files. Use the option Wordfence provides to see what has changed between the original file and your file. If the changes look malicious, use the Wordfence option to repair the file.
Slowly work your way through the list until it is empty.
Run another scan and confirm your site is clean.
If you still need help, we offer a commercial site cleaning service. You can find out more by emailing with the subject “Paid site cleaning service”....

Read more here: How to Clean a Hacked WordPress Site using Wordfence - Wordfence.