Although hacked sites aren’t a topic that is within the scope of this site, this question always gets asked. And there are many googles/bings/ducks on how to de-hack a site. The basics:
- change credentials on everything (hosting, FTP, admin level users). Create a new admin-level user with a strong password. Log in with it to ensure it works, then demote the old admin user. I never have a user called ‘admin’.
- update everything. Even if they have been updated before. Update from known good files (via FTP). WP (you can use the admin/updates thing for that), themes, plugins.
- look at all folders for files that don’t belong. If you sort by date, they will stand out (because you updated everything else). Don’t forget hidden files like htaccess.
- look at generated pages for further evidence hints.
I’ve developed a procedure that has worked for the sites that I have de-hacked. See it here. Hard work, will take some time, but can be done.