My first step is not one you must take but I was helped by it. I had a fantastic old fashion pity party. I cried and railed against the evil hackers (that where probably 13 and smarter then me) And I did before I even started my site, what I should have done. And here is where I would like you to start as well. Learn hacked. The thing about fix wordpress malware attack and why so many people recommend it is because it is directory so easy to learn. That is also a detriment to the health of our sites. We have to learn how to put in a safety fence.
Protect your login credentials - Don't keep your login credentials where they might be found by a hacker. Store them off, and even offline. Roboform is for protecting them very good . Food for thought!
Should you ever want to migrate your website elsewhere, like a new web host, you'd be able to pull this off without a hitch, and also without needing to disturb your old site until the new one was set navigate to this site up and ready to roll.
Take note of your password! I recommend the paid or free version of the software *Roboform* to remember your passwords.
The plugin should be regularly updated play nice with your plugins, to stay current with the latest WordPress release and have WordPress cloning and restore capabilities. The ability to clone your website (along with regular copies ) can be useful if you ever want to do an offline site redesign, among other things.