Clean-up of one hacked site : a view from the trenches

I've just had the annoying task of cleaning up a WP site after it had been hacked. To aid others I thought I would share a brief description.

Disclaimer : This is not the way to go, but just a way I followed.

Setup : WP 3.3.2. The site had been live, but not updated since March 2012.
Perpetrator : Haxorsistz
Morale : Do remember to update both WP and plugins regularly

The site was defaced on all pages with a death note for the admin (it's a kindergarten site, so that was really inappropriate). This included the admin login page, so the site was inaccessible.

Here's what I did to recover the site:
- Access site by FTP and PHPAdmin
- Backup to separate location
- Check the errorlog
- Search the server for recently changed files
- Update WP (I did it through a one-click installer in cPanel)
- Upload a clean twentyeleven theme
- Sift through the _options table in the database.
- Deface code was in fields blogname and widget_text
- Set new password for DB and change wp-config accordingly
- Set new salt in wp-config according to inline instructions in that file
- Reset the encoding, it had been changed to UTF-7

Resources :
http://codex.wordpress.org/FAQ_My_site_was_hacked
A WP Support thread

Cheers