Quick answer: Recover a hacked WordPress site by taking it offline, restoring a clean backup if you have one, updating core, themes, and all plugins, removing unknown code and files, resetting every password and the security salts, then hardening with 2FA, a firewall, and automatic updates so it does not recur.
A hacked WordPress site needs two things in the right order: clean it, then harden it so it does not happen again. Skipping the hardening step is why many sites get reinfected within days. Here is a practical recovery path.
Put the site into maintenance mode so visitors are not served malicious content, then take a full backup of files and database as they are. You need this snapshot to investigate, even though it contains the infection.
The fastest reliable recovery is restoring a backup from before the compromise, then immediately applying the hardening steps below. If you have no clean backup, continue with manual cleaning.
Update WordPress core, all themes, and all plugins to current versions - outdated software is the usual entry point. Delete any plugin or theme you do not recognize or use. Look for recently modified PHP files and for suspicious files in wp-content/uploads (which should never contain PHP). A malware scanner plugin helps locate injected code.
Change every password: WordPress admin users, database, hosting control panel, and FTP/SSH. Remove any admin account you did not create. Rotate WordPress security keys by generating fresh values for the salts in wp-config.php, which forces all sessions to log out.
Keep automatic updates on, enforce strong passwords with two-factor authentication for admins, limit login attempts, and remove file-editing in the dashboard by adding define('DISALLOW_FILE_EDIT', true); to wp-config.php. A web application firewall in front of the site blocks the majority of automated attacks.
If search engines or browsers flagged the site, request a review once it is verified clean so the warnings are removed.
Should I clean or restore?
Restoring a known-clean backup then hardening is fastest and most reliable; clean manually only if no clean backup exists.
How do I stop reinfection?
Update everything, reset all credentials, and add a web application firewall, 2FA, and login-attempt limits.
Our managed WordPress hosting includes preemptive security with a web application firewall and anti-malware scanning, plus regular backups, so most infections are blocked outright and clean restore points are always available.