It's crazy that people do this, though you have some recommendations.
1. Contact your web host. If your web host maintains daily and weekly backups, hopefully they will be able to recover your website from prior to this event.
Once they do so, you'll want to make sure all of your passwords are changed and likewise ensure all scripts on your site are updated.
2. Web host has no backups Ok, so your web host has no backups. If this is the case, you'll need to log into your website via FTP and start looking around for newly dated files, then work to remove any hacker code you find in them.
3. Then what? Well, once you clean things up it's time to start looking at future solutions. Proactive security is your friend.
_x_ Check your scripts for version updates at least once a month.
_x_ Only host with a web host who maintains "weekly" backups and who does not charge for backup recovery.
_x_ Install Bulletproof Security and File Monitor Plus so you'll know when changes are made to your website (and it's free).
_x_ Change your WordPress admin pass and FTP pass at least quarterly (mark your calendar so you won't forget).
So these are the basics. While you can do a lot more by only hosting with web hosts who make security their top priority (i.e., discuss security on their home page), the above may at least get you back in the game.
Otherwise, I hope all goes well with you.