Zwielicht has already posted a lot of useful information but I just wanted to contribute my 2-cents. Apologies to Zwielicht in advance if I do accidentally repeat any of his points, and/or if I'm pointing out the obvious.
I also recently had to sort out WordPress sites that's been hacked. I approached by installing a fresh installation of WordPress. When I say fresh installation, it doesn't mean that you'll lose any of the changes you've made to the site however. I've been trying to Google to find the instructions I found but to no avail. It essentially consisted of deleting the core WordPress files (you keep some files/folders such as wp-config.php, /wp-content/ etc... and of course the database) and then reupload them from a freshly downloaded copy of WordPress. This way, you don't have to sift your way through hundreds of core files to find malicious code. Sorry but I really can't seem to find the particular article I read, but it's definitely worth checking out the WordPress codex. I can't post links on here yet, but if you search for "wordpress faq my site was hacked" on Google, it should be the first link and should say WordPress Codex.
In terms of looking for malicious code in the files that weren't replaced in the above process, you may find that the code is being injected in rather than being hard coded. This often makes use of functions such as base64() and eval(), so I'd definitely keep an eye out for those functions. As I say, you only need to check this in the files that weren't replaced. Open each file and visually check the code for anything that looks out of place. I would also use the search functionality to look for those functions in case you missed them. It's usually quite easy to spot the malicious code, as it's often at the beginning or end of a file, and contains code that's not human readable. Obviously delete any blocks of code that look dodgy.
I'd also check the database, but you said you've already inspected that.
Lastly, I doubt this would have anything to do with it, but maybe it's worth checking the .htaccess file in the root folder in case that's been changed somehow.
Once you've sorted your installation, it's time to take some measures to try and prevent this happening in the future.
The first step is to update WordPress and any plugins. Make sure you keep it up-to-date in the future as well, to minimise the chance of someone using an older well-known exploit.
I'd then go ahead and change all passwords as Zwielcht mentioned. When he mentioned hosting account login credentials, it doesn't just mean your cPanel/FTP but also your database username/password as well.
In terms of plugins, I personally use iThemes Security. It'll guide you through the process of securing the site. There's various things on there such as changing the login URL, adding automated malware scanning, removing the WordPress version in the generator tag etc... Slowly and carefully go through the recommendations. Please note that some of the changes will make changes to your files and database, so may require you to back up the files/database. The plugin will warn you when it needs to be done though.
Also I personally don't activate file change monitoring as I heard that uses quite a lot of resources.
I hope some of the above will help you, and good luck!
Kind regards,
Hodaka
