Looked at Drupal long ago to compare with other free CMS options, and went with MODx - which has also had its problems (always quickly resolved) - but if you've already been compromised, it's too late..
Fixing a compromised site takes a very long time because while some back-doors are easy to find, others are dead sneaky - you are supposed to find the easy ones and think the job is all over.
So back-ups are essential, yet on at least one occasion one of my sites had been compromised by at least two different baddies at different times and it took ages to find a clean (pre-hack [pre-hack]) backup. One had actually got in before the flaw had been published.
What I really, really wanted was a site-signature for the code of the site, and file-signatures for each code file and some kind of signature-scanner that could detect a change in those signatures across the entire site and all the backups to identify the last clean version. MODx doesn't have this, and the least said about Drupal the better, but they don't have it either.
I'm no techie - I'm not much more advanced than the "developer who treats Drupal like magic". This is why I use someone else's CMS rather than design and build my own. I can't build OSs either, or write drivers for flash arrays. All magic to me.
As it should be. The magicians need to up their game, and in these days of thousands of baddies, working in shifts, hiding behind irresponsible and incompetent governments (if not worse), the magicians are failing to impress. We need the tools to make recovery from compromise as straightforward as, say, an original install.
While I'm at it, the chap above who has "thousands" of invoice-like transactions that now have to be re-keyed, needed a transaction dump file - a journal we call them in accounting terms - which can be used to regenerate the online processes in a recovery - suitably error- and hack-checked to remove the SQLi transactions.This has to be maintained somewhere else, not in the same database as the one it protects. and, no, I don't know how to do this either.
Come on Gandalf.