1. Never give in to hackers
2. Never trust your backups if you have been hacked
3. Keep wp-config, uploads/, and your custom stuff, theme and custom plugins
4. everything that can be re-downloaded, delete
5. change all admin passwords, to something strong 12-15 chars eg. #qrfd1412Gh)oN
6. Delete all FTP accounts, create 1 new one with again, very strong password
7. Go through all files you kept, read code line by line to make sure its clean
8. Go through the database, options, posts, and post_meta are common to have hacker code
9. reset/change security keys in the wp-config
10. Check for security alerts for your themes and plugins, especially (premium), but anyone of theme could have a security issue unfixed.
11. rebuild site with your verified clean files and fresh downloads
12. verify all directory/file permissions
13. If your host has PHP version less than 5.6, RUN, get new hosting
I might be missing some thing, but this should get you pretty clean. If I think of anything else I will add it.
I would say if this is cheap shared hosting it could still happen again depending on the hosts environment. Thats the issue with cheap shared hosting.
Sent from my Samsung Galaxy smartphone.
