If it's a server vulnerability then your host will have to look into it and fix that. Your host should offer you a backup once every 24 hours. If your site is altered in anyway then the backup can be restored, providing that backup doesn't have the altered content. This is why you should make periodic backups yourself. I store mine in an encrypted SFX archive and upload to my personal FTP, Box and burn to DVD every once in a while.
To help mitigate this in the future you can use the following: CloudFlare which will hide your real IP, CIDRAM, which will prevent certain forms of SQL injection, and block cloud-based/host-based connections to your site among other things and Ninjafirewall which offers a free version which I use myself. It has stopped a few hackers already. I wrote about it on my forum and the link is in my Sig. Once again, they offer a free solution. It's the Pro version. The Pro+ version is not free. It would be foolish not to use it for something that's free, especially CIDRAM which you can find at Github. I know the author.
About CloudFlare. The idea behind a reverse proxy is to thwart anyone from seeing your origin IP to mostly block a DDoS attack. Also, without your real IP a hacker can't Nmap your IP and discover the SSH port, etc and try to brute force in. The thing is, you need to first setup CloudFlare and then have your host change IPs, then add the new IP to CloudFlare. If this isn't done correctly websites like Crimeflare or domain history websites can't see your origin IP. Also, you need to use a third-party E-mail service and delete the MX record. The MX record will expose your origin IP if you use your host's E-mail. I use Gmail with the SMTP options in phpBB myself, if your site is rather large you might want to use a paid-for solution from Namecheap which is about $10/year. If you use a shared account your IP may still be hidden, but if you use a VPS you'll need to block all IPs except CloudFlare's since there is a tool and a website that uses this tool to scan the entire IPv4 space in about 45 minutes and that website will resolve your domain and IP and expose it.
Most of all, make sure your host has mod_security on. If your host does not even have that then ditch that host. They should also have Suhosin installed.
Note that I'm not affiliated in anyway with Google, CloudFlare, Ninjafirewall or Namecheap. I just use these services and I'm passing on the Info. I have helped with bug reports for CIDRAM which is an open source project at Github.