We believe our website has been compromised and need to wipe it and start fresh. Is there any way to do this and keep the customer database, order history and products already in the site? We don't want to have to rebuild it from scratch again.
If you have your database backup and no core and theme files have been hacked or corrupetd try to restore you Magento to a new subdirectory on your server. (First confirm that this is fully secure)
Also follow following steps also
1) Apply all Magento patches or upgrade to Magento latest version.
2) Remove any suspicious files from Magento root folder.
3) Contact with your hosting provider to run a scan on your Magento directory.
4) Change all the folder and files permission to the recommended .
5) Disable FTP and use SFTP
6) Use custom admin path for magento admin and also make it password protected using .htaccess file.
7) You can also restrict the admin access to particular ip address.
One good thing you can do is to consult a firm which can assist you to secure you magento.