It's also important to change admin username and your password if someone needs admin username and your password to login to do the work and will help you. Admin username and your password changes, after all of the work is complete. Someone in their business might not be, even if the man is trustworthy. Better to be safe than sorry!
My first step is but it helped me. I had a good old fashion pity party. I cried and railed against the evil hackers (that where probably 13 and smarter then me.) And then I did before I started my site, what I should have done. And here is where I would like you to start also. Learn hacked. The beautiful thing about fix hacked wordpress and why so many people recommend because it is really easy to learn, it is. That can also be a detriment to the health of our sites. We here need to learn how to add a security fence around you can find out more our website.
Backup plug-ins is also important. You need to backup all the files and database so in case of a sudden attack, you can easily bring back your own blog like nothing happened.
Move your wp-config.php file one directory up from the WordPress root. WordPress will look for it if it cannot be found in the main directory. Also, nobody will be able to read the file unless they've FTP or SSH access.
Make a note of your new password for the next time you sign in! I recommend the free or paid version of the software *Roboform* to remember your passwords.
These are three very simple things you can do to keep WordPress secure without plugins. Put a blank Index.html file in your folders, website link run your web host security scan and backup your whole account.