You can log in to your admin page but as soon as you try to click on any options you get a screen which says FORBIDDEN then if a path to the file you tried to access like https://yoursite/wpadmin/posts.php
In your search to fix this problem you’ve discovered that the are some lines in the htaccess file. You delete the lines but the reappear, you rename or delete the htaccess file but it comes back.
On your local machine – Create a new access file – you don’t need anything in it but you can find the basic WordPress lines online.
On your local machine – Copy the default index.php – you can get this from another site you own or download the WordPress package. The size of this file is only around 420 bytes, the hacked version is much larger.
Now you have those two files handy use an FTP client to change the names of the files on the server – something like “htaccess1” & “index.php1” will do.
Now copy your new files to your server and check that you now have access to your admin area as you should.
CLEANING UP FURTHER
As far as I understand the are 3 files that can be affected. All these and copies of them need deling with or the problem will quickly come back.
Check all other folders for hacked files. You will need to search – a good way is the search facility of Filefilla FTP client. The feature finds files & lists their place & file size. Any files that are larger than the standard should be treated as suspect – You can then use the search again adding a “filesize” option to search. It’s up to you if you replace or delete these files. Each system will be different but on most you should be able to delete all the files without to much affecting your site but only you know if these files should be there – if they should you need to replace, if the shouldn’t you can safely delete.
When you are happy it all works fine;
1. delete those files you renamed
2. update your server software
3. enable your firewall
4. perhaps install a security plug-in
5. back-up your complete site & database offline.
Hope that helped.