If your site is hacked, you do not need to panic first, you are not the first and you are not the last. Any innovations on the protection of the system become obsolete with time and the attackers find vulnerabilities.
The more popular the resource becomes, the more often it is hacked, new ways of protection are invented and new ways of breaking, this process is endless.
How to be in this situation?
At least once in 5 years it is important to rewrite your system, very often the purpose of hacking is not your site, but the server on which it is located. Attackers can spam mailing and for your business this can result in a blockage in the search engines for the ip address of the server, then it will take some time to return to its position in the SERP, resulting in a loss in orders and the reputation of the site.
The main precautions are the regular creation of backup copies of both the system files and the database. In the case of hacking, you can quickly roll back to a stable version, change access (to the administrative part of the site, the password of the database user and the users of the server).
After the accesses are changed and the system is rolled back, it is important to find the vulnerabilities and fix them. As a rule, most popular hacking CMS (content management system), it is not recommended to use them, this is one of the reasons, such as Wordpress, Joomla, Bitrix, etc.
Your programmer should use the version control system (this is his choice, currently the most popular is git) project, you can immediately track changes in the code and fix them.
The faster you take measures, the faster the service will return to the working channel!