If you want to be certain your site is clean, you can either start with a fresh install of WordPress, all of your plugins and the theme.
An alternative would be to use the WP CLI verify-checksums to check your core and plugins for any modifications.
Perhaps the hardest one to clean is your database as malicious code could be hiding in any number of tables. Take a backup first before you do any sort of cleanup, and then you can start to look for common malicious code markers such as PHP eval, base64_decode, gzinflate, shell_exec etc. Take a look at this article for some further explanation on these.
The How to Clean a WordPress Hack article on the Securi.net website is also worth a read.