Recover Hacked Corporate WordPress Sites

My production Linux server was compromised and the corporate WordPress sites that used to live there have vanished from the usual directories. I am currently running PhotoRec to carve the disk, but I’m out of my depth interpreting the results and rebuilding a working WordPress installation from whatever fragments turn up. There are no usable backups; anything you can salvage from the server itself is all we have. What I need from you • Make a full, forensically-sound image of the affected disk (or guide me through it if you prefer working remotely). • Identify and recover every recoverable WordPress file and MySQL database table related to the corporate sites. • Reassemble each site so it loads correctly on a clean staging environment—plugins, themes, media, and database content. • Provide a brief post-mortem explaining the breach vector and concrete hardening steps so this doesn’t happen again. Acceptance criteria 1. Each recovered site loads in a browser without PHP or database errors. 2. Admin logins function with reset credentials you provide in a sealed document. 3. A summary report (PDF or Markdown) details the recovery process and security recommendations. The server is Linux (Ubuntu 20.04), running Apache with PHP-FPM and MySQL 8. If you prefer TestDisk, ddrescue, or other forensic tools over PhotoRec, feel free—just document what you do so I can follow later. SSH access and single-user physical access can be arranged immediately. If you have solid experience rescuing hacked WordPress installations from bare metal and you can start right away, I’d love to hear how you would approach it and an estimated timeline for first results.