backup db
replace
	wp-admin
	wp-includes
find/replace
	plugins

check
	.htaccess
	wp-config.php
	theme

search php in uploads


define( 'DISALLOW_FILE_EDIT', true );


at the end of .htaccess
Options -Indexes


.htaccess and upload it to /wp-content/uploads/ 
<Files *.php>
deny from all
</Files>


best way as for me is:
0. create a backup!!
1. copy the site (maybe locally), all other works do with a copy
2. _remove_ wp-admin and wp-includes. upload fresh wp-admin and wp-includes from original rep
3. remove that files from root dir
index.php
wp-activate.php
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-cron.php
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
and replace them to the original ones.
4. check wp-config.php and .htaccess for a strange code. Maybe there will be also other files -- check them also.
5. remove all plugins and insert original versions from the reps (wordpress.org)
6. remove unused themes
7. check each theme file for malicious code
8. check /wp-content/ for malicious files (.php in wp-content/uploads)
9. change database, ftp and admin passwords
10. upload all files to some dir, for example, named "new"
11. move old site to some dir (for example, "old") and move "new" site

(see my comment) this way your site almost don't be offline
also you could install plugins to protect, Wordfence, for example.
also:
1. put
define( 'DISALLOW_FILE_EDIT', true );
to your functions.php file to disallow file editing from wp-admin
2. put
Options -Indexes
to your .htaccess file to hide files list if somebody open directory without index.php/index.html
3. create .htaccess with
<Files *.php>
deny from all
</Files>
and place it to
/wp-content/uploads/

also if you're using Plesk panel there are some tools to protect your site