There are many things you need to do to fix a hacked site. Lots of googles on how to do it. Important things to do:
- change passwords on everything – WP accounts, FTP accounts, hosting accounts. Strong passwords, of course.
- remove the user called ‘admin’ (or just give it Subscriber level, after making a new admin user
- update everything – WP, plugins, themes. Reinstall current version of WP (from Update page).
- manually inspect all files in all folders for stuff that isn’t supposed to be there. Sorting by date often helps, as an unauthorized file will stand out a bit with a different date from other files (epsecially if you updated everything).
- check for any hidden files
Again, lots of googles on how to do this. Takes some time, though. I’ve done it enough times for others that I developed my own process: https://securitydawg.com/recovering-from-a-hacked-wordpress-site/ . And, other resources with similar help here and the googles. My process works for me, so I documented it so I wouldn’t forget a step the next time.