WordPress is one of the most common CMS / blogging platforms available today. It’s free, robust, and easy to use. This makes it a big target for hackers. They setup automated scripts to try and hack you either through WordPress itself, brute force attempts, plugin vulnerabilities, or other means. You can harden your website using techniques and special plugins to help reduce the risk. However, what if you have already been hacked? Well, one of the best plugins I have encountered for doing a security audit to a hacked WordPress website is Anti-Malware (Get Off Malicious Scripts).
It scans all files for known threats using its own virus/security definitions database, which are updatable through the plugin itself. It also searches for suspicious looking code (which commonly use PHP’s EVAL function or base64_encode / base64_decode). This plugin will scan JS files, PHP files (plugins, themes, etc), and more. If known malware is found, then you can use the plugin to quarantine them or you can login through your FTP and deal with them yourself.
Hope it helps!