I see this is Project 14061732, again. I was typing out my proposal when I saw it got snagged by JoomdevCorp for $100. I figured, hey, if you want to do that much work for $100, enjoy.
Anyway, I run a web hosting service and have extensive server setup, along with malware cleanup, experience.
1 - Clean Joomla and Wordpress(this includes updating all components, which will close the hole)
If you have modified core Joomla files, you will lose those modifications when I patch.
I will be patching to the latest Joomla minor version available. Wordpress will also be updated, though I'm betting the exploit was in Joomla.
2 - Set up AWS server for web hosting(includes firewall with modesecurity, full VPS config).
A firewall will not make the site(s) 100% secure. The ONLY way to keep from getting infected is to keep all software up to date.
3 - Copy both sites to AWS server and test.
Frankly, I'd skip the AWS thing and just run daily backups with a monthly. If anything happens, just restore, but I'll do whatever I'm tasked to do.