How to recover hacked WordPress website?

If your WordPress site’s been hacked, first change all passwords (admin, hosting, FTP, and database). Then, scan your site with a security plugin like Wordfence or Sucuri to detect malicious files.
Remove unfamiliar users or plugins, and restore a clean backup if available. Finally, update WordPress, themes, and plugins to the latest versions and enable a web application firewall (WAF) to prevent future attacks.