The following will give you a rough guide on how to go about repairing a hacked site that's infested with compromised files and you have no clean backup. Note: It does make the rather large assumption that no malicious content is in the database, however it does cover changing all wp user logins.
You will need to...
- Delete ALL content except for the following...
/httpdocs/wp-content/uploads/ BTW check these folders for anything that’s not an image, if you find any remove it as it's going to be malicious content.
/wp-config.php - Upload a clean copy of WordPress downloaded fresh from wordpress.org. It won’t contain or shouldn’t at any rate have a wp-config.php files so it will therefore keep the existing details for db and its content.
- Next, login to worpdress and create some NEW users for yourself and the client. These should have obscure usernames and strong passwords.
- Now delete the old users from within WordPress, when you do this WordPress will ask you to assign all their old content to one of the new users. This removes any possibility the old user creds are compromised/stolen.
- Next, install your plugins and a clean copy of the custom theme. Do NOT reload the existing theme files, as it's most likely infested. Get a clean copy from the webdesigner or your archives.
Note: if you do choose to keep any existing content, be sure you check it all carefully. If you miss one compromised file, you will be back to square one with all your effort wasted. - In the plesk panel on the right hand side you should see a link to WordPress, click this, have it scan for sites. When it finds your repaired site, have it do a security check and be sure you are getting green ticks for all but the last two checks (security of the wp-content and wp-includes folders)
Once that’s done, we can discuss tentatively re-activating the site again. Provided you keep the wordpress updates installed as they become available, the site should be fairly secure from unwanted visitors.