My first step isn't one you must take but I was helped by it. I had a fantastic old fashion pity party. I cried and railed against the evil hackers (that where probably 13 and smarter then me.) And I did before I started my website, what I should have done. And here is where I want you to start as well. Learn how to protect yourself until you get hacked. The beautiful thing about how to fix hacked wordpress and why so many of us recommend because it is easy to learn, it is. That is also a detriment to the health of our sites. We need to learn how to add a safety fence around our site.
Don't make the mistake of thinking that check my site your web host will have your back as far as WordPress backups go. Not always. It has been my experience that the hosting company may or might not be doing backups, while they say that they do. Take that kind of chance?
While it's an odd term, it represents a essential task: making a WordPress copy of your website to work on offline, or in case something should go amiss. We are not only being obsessive-compulsive here: servers go down every day, despite their promises of 99.9% uptime, and if you've had this happen to you, you understand the fear is it can cause.
Along with adding a secret key to your wp-config.php document, also think about changing your user password to something that is strong and unique. WordPress will tell you the strength of your password, but a great idea is to avoid phrases, use upper and lowercase letters, and include amounts. It's also a good idea to change your password frequently - say once every six months.
There is another problem you have with WordPress. People know they also could just visit with your login form and where they can login and try out a different combination of passwords and user accounts. So as to prevent this from happening you need to install Login Lockdown. It's a plugin that only lets users attempt and login with a password three times. Following that the IP address will be banned from the server for a certain amount of time.