One question that comes up from time to time when we are brought in to deal with hacked WordPress websites is can the website be cleaned up if there isn’t a backup. In almost all situations, the answer is yes, and in fact a backup usually isn’t all that useful for cleaning up the website.
One suggested solution for cleaning up a hacked WordPress website, or websites using other software for that matter, is to revert to a clean backup. The big problem with that is that the backup has to be clean, reverting to a backup that from when the website was already hacked, won’t solve the problem. Since hacks can have started well before it becomes noticed, simply reverting to a backup from before you were aware the website was hacked isn’t always going to do the trick. Assuming it can be figured out when the website was originally hacked, most of the work needed to clean up the website without a backup has likely already been done.
The work needed to clean up the website without a backup can also be important for determining how the website was hacked. If you don’t figure out how the website was hacked, then you can’t insure it won’t get hacked again because of the same issue. (Surprisingly, a lot hack clean up providers that claim to have expertise in dealing with hacked websites, don’t even try to figure how websites have been hacked, leading to far too many of their customers’ websites getting hacked again.)
Another issue with reverting to a backup is that you need to do the reversion correctly. Done incorrectly files that were part of the hack could still be on the website or the website could be broken (sometimes in a way that is only realized later).
The exception to the ability to do a cleanup without a backup would be if the files or data has been deleted or is damaged beyond repair, which in almost all instances isn’t the case.