Let me shoot a scare tactics your way since scare tactics appear to be what compels some people to take how to fix hacked wordpress a bit more find out here seriously, or at the very least start thinking about the problem.
If you're one of the ones, I might find it a little more difficult to crack your password. But if you're among those ones, I might get you.
You first must create a user with administrator rights, before you can delete the default admin account. To do this go to your WordPress Dashboard and click on User -> Create New User. Then enter all of the information you will need to enter.
Phrases that were whitelists and black based you could try this out on which area they appear within, in a page request. (unknown/numeric parameters vs. known post bodies, remark bodies, etc.).
These are three simple things you can do to keep WordPress secure without plugins. Set a blank Index.html file in your folders, run your web host security over at this website scan and backup your whole account.