I recently recovered a client website from a series of hacks. The hacking spanned more than a week and it encompassed three different types of hacks. The third one was the most pervasive as it inserted files in every folder on the server. The cleansing process was tedious as there was no backup to restore from.
The moral of the story is to lock your site down with a plugin like Sucuri, Wordfence or Malcare. Please follow all of the hardening recommendations. I have a caveat to also check your active theme. None of the scanning plugins examine the active theme folders. The only look at the WordPress files in root, wp-admin and wp-includes.
I also added a firewall to the website and scheduled regular backups to the cloud. Check your sites regularly so if there is a problem you can restore the website before the hack becomes a nightmare.
Once again I am going to reiterate the importance of actively maintaining your WordPress website and hosting environment. Please keep all plugins, themes and WordPress core up to date. Backups are critical too.
If you have any questions or comments about this topic, please reach out. I am readily available to help.