My first step is but I was helped by it. I had a good old style pity party. I cried and railed against the evil hackers (that where probably 13 and smarter then me) And then I did before I started my site, what I should have done. And here is where I would like you to start also. Learn hacked. The thing about fix wordpress malware cleanup and why so many of us recommend because it is easy to learn, it is. That is also a detriment to the health of our websites. We have to learn how to add a safety fence.
There are ways to pull this off, and many of them involve re-establishing databases and much more and FTPing files, exporting and copying. Some of these are very complicated, so it is imperative that you go find more information for the right one. Then you might want to check into using a plugin for WordPress backups, if you're not of the technical persuasion.
Move your wp-config.php file up one directory from the WordPress root. WordPress will look for it there if it cannot be found in the root directory. Additionally, nobody else will be able to read the file unless they've SSH or FTP access.
As I (our fictitious Joe the Hacker) know, people have far too many usernames and passwords to remember. You have got Twitter, Facebook, your online banking, LinkedIn, two site logins, FTP, internet hosting, etc. accounts that all include logins and passwords you will need to remember.
These are only a few. Great thing is that they don't require much time to do. These are also easy options, which can be carried out easily.