Hi, Johnny, & welcome to the WordPress support forum. Firstly, I’m so sorry your site got hacked. That’s a devastating experience.
A .xml file is used to import content into a WordPress site by means of the WordPress importer plugin, or, if you have shell access available, via Wp-Cli. These are easily opened in a text editor, & you should be able to determine quite easily if there is stuff there that doesn’t belong simply by looking.
You can use a local WordPress installation to import your blog posts & then export them again, but this can become problematic since the url’s are not the same. There is a plugin called Duplicator designed for this purpose, though I can’t say for certain how recently it’s been updated. Proceed w/caution if it’s untested w/the latest version of WordPress.
Since your site was compromised, please change all passwords, including that of your hosting control panel & FTP if those are separate. Please also scan any devices you use to log into your website to insure they are free of malware, & please make certain your network is secure when logging onto your website, i.e., don’t log in from public WiFi & use secure FTP as opposed to FTP. Once you’ve backed up the WordPress installation, being careful to label the backup as “hacked” so you don’t accidentally restore it in the future, go through all your uploads & insure that images don’t contain any code, & that there aren’t files there you weren’t expecting. Better yet, replace them w/known good copies from your computer. Once you’ve backed up everything, go ahead & delete the current installation. You may also wish to have your host look to make sure that the files they provided are clean as well. Once that’s done, you can reinstall WordPress as well as any plugins & themes, and also replace your uploads folder. You should start out w/a completely empty database & import your content via the .xml file, as recommended earlier, if that’s possible. Conversely, you can export your database, usually w/PHPMyAdmin or similar, & open the resulting .sql file in a text editor. You’ll need to look very carefully to ensure that there is no evidence of compromise in the database. Some things to look for are:
<script
<? php;
base64;
eval
preg_replace
strrev
Unfortunately, that is not a comprehensive list, & I would suggest that if you’re going to use your database & have any lingering doubts at all regarding its integrity that you call on a trusted professional to have a look.
In terms of your local development site, follow best practices, i.e., secure your Mysql root user w/a strong password, (a passphrase is better), don’t keep the server up when you’re not using it, &, if it’s a Mac book, don’t log into it on public WiFi. You should be fairly well protected w/those precautions in place.
I hope I’ve addressed your questions, but, if you have others, please don’t hesitate to ask.
