STEP 1: DON'T PANIC!
Don't panic. Don’t erase anything, don’t restore from backup, don’t do anything until you do and understand what follows next. Anything you do at this point may destroy vital information. Take the site down, immediately. Most admin panel of Web Hosting offer the possibility to take the site offline. This prevents showing spam to the world, then Google is sure to notice. If you’re down for a time, then Google can understand that.
STEP 2: BACK UP YOUR SITE
Use FTP or a backup plugin to download a copy of your entire website. The reason you need to do this is because many hosting providers will immediately delete your entire site if they detect this. Backing up your files and database should be your first priority. Get this done, then you can safely move on to the next step of cleaning your site comfortable.
STEP 3: CLEAN YOUR HACKED SITE
Here are the guides of the road when cleaning your site:
1) If there is anything like the following in your file, you have definitely been hacked, and you MUST remove it ASAP:
2) Make always a copy of any uploaded files, such as images. It is usually a good idea to grab a copy of all the images in your uploads folder so as to avoid broken images in posts later.
3) Secure your wp-config.php file and edit your wp-config.php to change the password.
4) You can usually delete anything in the wp-content/plugins/ directory and you won’t lose data or break your site. The reason is because these are plugin files that you can reinstall and WordPress will automatically detect if you’ve deleted a plugin and will disable it.
5) You can delete all theme in the wp-content/themes directory. Make sure that you have and can download a new copy of your theme from the original source.
6) You can delete the wp-admin and wp-includes directories and the other WordPress files.
7) Now install a new fresh copy of WordPress and then your theme and plugins.
STEP 4: CHANGE PASSWORD
Change all passwords (FTP, Database and WordPress Logins) on the site, especially admin/root passwords.
STEP 5: PREVENTION
Congratulations if you have managed to clean your site. Then you need to take steps to prevent it from happening again. Here’s how:
1) Install some security plugins (like Wordfence) and run regular scans on your WordPress site.
2) Make sure WordPress and all plugins and themes are kept up to date. This is the most important thing you can do to secure your site.
3) Make sure you use strong passwords that are hard to guess.