The attack on The Spearhead was a simple redirect script, apparently hidden in image files. The goal was not to seize any data from the site itself, but rather to redirect viewers to other, illegitimate sites. Because I turned the site off within hours of receiving notice from Google, the damage was limited and nobody got hurt (except the site’s reputation).
User specific information on The Spearhead is safe. The entire breach was a result of my own error, as I unintentionally uploaded something that infected the WordPress theme’s image files through a plugin. What’s good about that is that the databases remain unmolested (means all user data is safe), but what is lousy is that I am going to have to wait until I have access to backups before restoring some images.
So, lesson learned. Time to get back to work.