My first step is but I was helped by it. I had a fantastic old fashion pity party. I cried and railed against the evil hackers (that where probably 13 and smarter then me.) And I did before I started my site, what I should have done. And here is where I want you to start also. Learn how to protect yourself before you get hacked. The attractive thing about fix wordpress malware and why so many people recommend it is because it is easy to learn. Unfortunately, that can be a detriment to the health of our websites. We have to learn how to add a safety fence around our website.
There are numerous ways to pull off this, and a lot involve copying and FTPing files, exporting and re-establishing more and databases. Some weblink of these are very complicated, so it is imperative that you go for the one that is best. Then you might want to look into using a plugin for WordPress backups if you are not of the persuasion.
A snap to move - If, for some reason, you want to relocate your site, such as a click site domain name change or a new read hosting company, having your files at your fingertips can save you oodles of time, hassle, and the demand for tech help.
Imagine if you go to WP-Content/plugins, can you view that folder? If so, upload this blank Index.html file inside that folder as well so people can't view what plugins you might have. Because if your version of WordPress is up to date, if you're using a plugin or an old plugin with a security hole, someone can use that to get access.
These are three things you can do to keep WordPress secure without plugins. Put a blank Index.html file in your folders, run your web host security scan and backup your whole account.