My first step is but it helped me. I had a good old fashion pity party. I cried and railed against the evil hackers (that where probably 13 and smarter then me) And then I did before I started my website, what I should have done. And here is where I would like you to start. Learn how to protect yourself before you get hacked. The beautiful thing about repair hacked wordpress site and why so many of us recommend it is because it is easy to learn. Unfortunately, that can be a detriment to the health of our sites. We need to learn how to add a safety fence around our website.
Protect your login credentials - Do not keep your login credentials where they might be found by a hacker. Store them off, and even offline. Roboform is for protecting them very good . Food for thought!
Recently, an unknown hacker murdered the site of Reuters and posted a news article that was fake. Since Reuters is a popular news site, their reputation is destroyed because of official statement what the hacker did. In the event you don't pay attention on the safety of your WordPress 20, the same thing may happen to you.
Black and phrases that were whitelists based on which area they appear within. (unknown/numeric parameters vs. known post bodies, comment bodies, etc.).
However, I recommend that you install the Login LockDown plugin instead of any.htaccess controls. Login requests will stop from being allowed after three unsuccessful login attempts from a certain IP address for an hour. You may still access your panel whilst and yet you have protection against hackers, if you do that.