My first step is but it helped me. I had a fantastic old fashion pity party. I cried and railed against the evil hackers (that where probably 13 and smarter then me) And I did before I started my website, what I should have done. And here is where I would like you to start as well. Learn hacked. The thing about fix malware problems free and why so many people recommend it is because it is so easy to learn. That is also a detriment to the health of our sites. We need to learn how to add a security fence around our site.
Also, don't make the mistake of believing that your web host will have your back so far as WordPress backups go. Not always. It has been my experience that the company may or may not be doing backups while click here to read they say they do. Why take that kind of chance?
Maintain control of your assets - Nothing is worse than getting your livelihood in someone else's hands. Why take chances with something as important as your website?
Now we are getting into matters specific to WordPress. You have to rename it to config.php and alter the document config-sample.php, when you install WordPress. You need to deploy the database facts there.
These are. Put a blank Index.html file More about the author in your folders, run your web host security scan and backup your whole account.