One KEY thing to keep in mind BEFORE a hack:

Always have a backup.

BackWPup is a great (free) plugin that’s super-easy to use and setup automatic backups to Dropbox and other Cloud storage services. I use it on all my sites and highly recommend it (Multi-site compatible as well).

The following was originally posted by a Volunteer moderator on the WordPress.org forums, but they are great links worth keeping a copy of for later reference:

You need to start working your way through these resources:

• http://codex.wordpress.org/FAQ_My_site_was_hacked
• http://wordpress.org/support/topic/268083#post-1065779
• http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
• http://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:

• Hardening WordPress
• http://sitecheck.sucuri.net/scanner/
• http://www.unmaskparasites.com/
• http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
• http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html