The following will give you a rough guide on how to go about repairing a hacked sites that's infested with compromised files and you have no clean backup. Note that it does make the rather large assumption that no malicious content is in the database, however it does cover changing all wp user logins.
To this end you will need to;
- Delete ALL content except for the following;
/httpdocs/wp-content/uploads/ BTW check these folders for anything that’s not an image, if you find any remove it as its going to be malicious content.
/wp-config.php
- Upload a clean copy of WordPress downloaded fresh from wordpress.org, it won’t contain or shouldn’t at any rate have a wp-config.php files so it will therefor keep the existing details for db and its content.
- Next login to worpdress, and create some NEW users for yourself and the client. These should have obscure usernames and strong passwords.
- Now delete the old users from within WordPress, when you do this WordPress will ask you to assign all their old content to one of the new users. This removes any possibility the old user creds are compromised/stolen.
- Next install your plugins and clean copy of the custom theme, do NOT reload the existing theme files, as its likely infested. Get a clean copy from the webdesigner or your archives.
Note: if you do choose to keep any existing content be sure you check it all carefully as if you miss one compromised file you will be back to square one with all your effort wasted.
- In the plesk panel on the right hand side you should see a link to WordPress, click this have it scan for sites, when it finds your repaired site. Have it do a security check, be sure you are getting green ticks for all but the last two checks (security of the wp-content and wp-includes folders) as many plugins aren’t 100% compatible with those measure yet, all the others above however should be applied easily without breaking the functionality of the site.
Once all that’s done, we can discuss tentatively re-activating the site again. Provided you keep the wordpress updates installed as they become available the site should be fairly secure from unwanted visitors.