If you’ve been hacked, then sometimes you need to start over.
First inactive the plugins. This can be done by changing the name of the /plugins directory, or doing it in mysql.
delete the one record from this selection: SELECT * FROM wp_options WHERE option_name = ‘active_plugins’… it will be recreated when you go back into WordPress and active the plugins.
It is advisable to get a security plugin, like WordFence or iThemes Security “All In One WP Security & Firewall”.
Step 1: Replace WordPress files
Get the latest WordPress zip (or tar.gz) file.
Unpack the zip file that you downloaded.
Delete the old wp-includes and wp-admin directories on your web host (through your FTP or shell access).
Using FTP or your shell access, upload the new wp-includes and wp-admin directories to your web host, in place of the previously deleted directories.
Upload the individual files from the new wp-content folder to your existing wp-content folder, overwriting existing files. Do NOT delete your existing wp-content folder. Do NOT delete any files or folders in your existing wp-content directory (except for the one being overwritten by new files).
Upload all new loose files from the root directory of the new version to your existing wordpress root directory.
NOTE – you should replace all the old WordPress files with the new ones in the wp-includes and wp-admin directories and sub-directories, and in the root directory (such as index.php, wp-login.php and so on). Don’t worry – your wp-config.php will be safe.
Be careful when you come to copying the wp-content directory. You should make sure that you only copy the files from inside this directory, rather than replacing your entire wp-content directory. This is where your themes and plugins live, so you will want to keep them. If you have customized the default or classic themes without renaming them, make sure not to overwrite those files, otherwise you will lose your changes. (Though you might want to compare them for new features or fixes..)
Lastly you should take a look at the wp-config-sample.php file, to see if any new settings have been introduced that you might want to add to your own wp-config.php.
Step 1.5: Remove .maintenance file
If you’re upgrading manually after a failed auto-upgrade, delete the file .maintenance from your WordPress directory using FTP. This will remove the “failed update” nag message.
Step 2: Update your installation
Visit your main WordPress admin page at /wp-admin. You may be asked to login again. If a database upgrade is necessary at this point, WordPress will detect it and give you a link to a URL like http://example.com/wordpress/wp-admin/upgrade.php. Follow that link and follow the instructions. This will update your database to be compatible with the latest code. You should do this as soon as possible after step 1.
Don’t forget to reactivate plugins!