WordPress only needs the .htaccess in the main directory to function properly. There could be legitimate reasons for having them elsewhere. If you are the sole admin for the site and you didn’t put them there, move and rename them to a safe place for possible analysis. In addition, there are probably entries in the main one that do not belong. Ideally, it should be restored from a clean backup.
The big issue is how did it happen and how can you stop from happening again? There can be backdoors and malicious code anywhere on your site now. Start a response with FAQ My site was hacked.
The .htaccess in your main directory is the only one required, and should look something like this:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Since your site was hacked it’s likely hacker has hidden some back door scripts as well, which may allow them to re-hack your site again in future.
So you’ll need to first be sure and update every script within your site, WP version, plugins, etc., then work through the process of reviewing every file for hacker code.
This site may be helpful in tracking down the code snippets or files hacked as well:
http://www.unmaskparasites.com/
