Mitigating the Site
Step #1: Make sure you always use a clean and protected computer to login to the server (malicious cookies, keylodgers, spayware and viruses can snick to the server and feed vital information to the attacker )
Step #2: Backup the database
Step #3: Regular cleaning and optimizing database
Step #4: Change the password to stronger passwords both for database, cpanel and CMS
Step #5: Update all extensions and templatesand deleted unwanted ones or the scripts with no updated over six months
Step #6: Secure and prevent editing of php script, web directories and important files like htaccess and configuration files
Step #7: Change login URLs, administrator usernames, database names and usernames to access database plus changing the table prefix to the harder ones
Restoring the site
Step #8: Deleted manually all foreign folders, files suspected for phishing, any useless scripts plus old site backups as those may create loophole to attack the website
Step #9: Remove core folders and related core files in root folder except folder for data configuration and htaccess files
Step #10: Upload fresh and current copy of the deleted CMS folder and files
Monitoring the Site
Step #11: Install security monitoring and notification systems
Step #12: Make sure your website is visited and scanned regularly for malware (at least once per week) using https://sitecheck.