My websites got hacked

You do not say if you have any security programs in place with your Wordpress installations.

Install WordFence Security on each of them and run a scan. This YouTube video will guide you on the best settings:

AnniePot is right, you need a good security plugin.
It's not a magical solution, but absolutely needed.

No plugin will clean up the mess though, it's more of an after the fact solution to tighten security.
You said you have a backup, are you 100% positive it's a clean backup?
You'll want to do a clean re-install, check your theme files, and restore your database. (If your sure it's clean).

Put security protocols in place like the security plugin. I prefer iThemes Security, but their both good plugins.
The security plugin should also help you set the right permissions on folders and files as well as tighten security throughout the site for various small settings and tweaks.

Of course if your not sure your database or files are clean, adding security after the fact will be messy.
Scans can catch many things, but not everything.
You should review the log files (Almost every host has them) and it may help determine an entry point or exploit.
XSS is super common, that's why it's important everything is kept updated. You wouldn't want the exploited area to still exist in the re-install.
Security holes are being discovered and corrected all the time so updating is essential. (WP, plugins, themes)

You mentioned your HostGator account got hacked. Was it actually the account or the website...
If it's actually your HG account, that's a little different. It doesn't dismiss anything that's been said, but someone getting into your actual account is certainly a high priority concern... Really tighten those passwords.
If you can remember a password... it's not a good password. Use random, mixed, and long. No rhythm, rhyme or readability.
That's just my personal preference on passwords


Here's a really quick procedure overview/list:

1. Remove all the content from the root folder for your install. You could put up a maintenance page temporarily. (Make sure you have backups)
(Helps ensure all hacked/malicious assets have been removed)

2. Examine the log files to help determine how/when the site was compromised.

3. Analyze your database for exploits.
(This will require knowledge, so a professional could be useful here)

3. Download a fresh copy of WordPress. Download a fresh copy of all plugins including your premium ones. Change your wp-config.php salts.
(We need to make sure all the hard assets are clean)

4. Re-install WordPress. No need to go through all the settings since you'll be taking your recently scanned and clean database backup and migrating it to the site.
(This will re-install your current website database and all past settings will be there)

5. As a precaution, run the WordPress database upgrade.
(Point your browser to http://yourwebsite.com/wp-admin/upgrade.php)

6. Login, verify there are no extra "users" in there. Change all passwords for all users including yours. You should also change all passwords for everything related to the site. Cpanel, mail, etc...

7. Install and setup a good security plugin. Do a security scan of the site. There are many sites that do this (Securi is good).
Most security plugins should have this built in as well.

8. Check to see if your site is on any blacklists. Login to Google webmaster and see if you have any site warnings.

This is only a quick overview, there are many little steps within these steps that need to be done. Likely the toughest part is ensuring your database is clean. The hard assets are quite easy to replace/upgrade.

I personally would do all of this in a staging area, not the live site. Once your satisfied things are clean, push to the live site and lock it down with security.

Can you tell me where I can read the logs, please? I'm not sure what I'm looking for. If I decide I need to restore my site, do I need to delete the current database from my host server, first?

I found the raw access logs but they are saved a .gz file and I have to find a program to extract it. Can you suggest a good place where I can get help with this issue? SitLock is Hostgators site security company and they want 300$ to clean one website and $80 a month to protect it. Can you recommend a good place where I can get some professional help with this. I think some of this is over my head. I have no experience with building databases and I don't want to muck it up.

Also, my main domain name doesn't have wordpress installed on it so I can't install a security plugin. How should I go about protecting it?

I think I may just switch my hosting over to A2 hosting and see if they'll re-install my backup files for me as part of their free site migration offer. I found an old backup file from 2013. Surely that one is not infected but I'll have to make some updates. Do all hosting companies get hacked just the same or are some more vulnerable?

I also noticed that anonymous FTP was enabled and there were a couple anonymous FTP accounts in my Cpanel. I'm not sure if this is something the hacker did or not but I disabled them.

What all is restored in a backup file? Will all of my plugins and themes be in there as well? Sorry for all of the questions. Thank you.

A couple of weeks before my website was hacked, I noticed I was getting a LOT of spam comments on some of my posts. Most of them seemed to be coming from Facebook profiles. I don't know if that those comments had anything to do with my site being hacked or not.

Since then I've moved to a new server and rebuilt the site. In the last few days I've been receiving strange comments via the contact form on my website. Could these comments be new attempt from the hacker to hack my new site? Here is what the comments look like. Thanks for the help, everyone.

From: hermesmadisonavenue <pptldxtfpq@gmail.com>
Subject: hermesmadisonavenue

Message Body:
It was Esposito's third goal of the tournament not bad for a guy who got cut from the junior team the first three times he tried out.
<a href="http://www.librafluid.com/wp-includes/css/toms.php?p=167" >hermesmadisonavenue</a> hermesmadisonavenue

And the other one.

From: suedehandbags <uaxwfxb@gmail.com>
Subject: suedehandbags

Message Body:
Jordan Morris is about halfway to a Stanford University diploma. He is much further along graduating from American soccer prospect to bonafide national team player. supporters. And those who knew of him were aware only of his place on the under 23 squad attempting to qualify for the 2016 Olympic Games.
<a href="http://www.chambersouth.com/wp-content/reports/do.php?p=27" >suedehandbags</a> suedehandbags

Hey, sorry to hear you got hacked. However i feel the root of the cause is not having a strong enough password or giving your credentials away to people you should not trust.

None the less, i would start with inspecting your database thoroughly as folders and file are not the only concern when getting hacked.

Use mysql in your host manager to inspect your tables for non relevant values.

I hate to say it but this is why I don't use wordpress. I use a different web editor so that means My site is on my computer and I load it onto the hosting companies server. If somehow someone gets into my hosting companies account and messes up a site all I need to do is delete the site change my password and re install my site back onto the hosting companies server. It would take less then 5 minutes to do this.