Without a backup, cleaning up something like this can take a while. Each hack is different and can hide in multiple locations. If you have admin and FTP access these are the things I would change:
Change all the passwords for every account on the backend. I would also look into setting up a Cloudflare account as it can help add an extra layer of security.
Plugins
Limited Login Attempts: It’ll prevent bruce force entry.
Wordfence: Install it and have it run a scan on the site and directories. It should return any file that has been modified or is out of date.
I’d check through the head.php and footer.php files to ensure that they’re aren’t any scripts being dump in there. Sometimes you’ll see a lot of random javascript or an iframe, delete those out.
Cleaning up a hack is time consuming and if you are unfamiliar with working with a text editor and FTP, you might want to hire someone.