If your WordPress site is seriously compromised, what is the best course of action to return your site to good health?
Hire a third-party service to clean up your site because it is difficult for someone who is not a WordPress security expert to find and remove all traces of an attack.
Determine the date of the attack and restore your site to a backup point prior to that date.
Change your hosting password, your WordPress admin password, and your database password.
Manually delete suspicious files on the server and delete any database tables that are not core WordPress.