My first step is but I was helped by it. I had a good old style pity party. I cried and railed against the evil hackers (that where probably 13 and smarter then me.) And I did before I even started my site, what I should have done. And here is where I want you to start also. Learn hacked. The thing about fix wordpress malware and why so many people recommend it is because it is so easy to learn. Unfortunately, that can also be a detriment to the health of our websites. We need to learn how to put in a safety fence around our site.
Strong passwords - Do your best to use right here a password, alpha-numeric. Easy to remember passwords are also easy to guess!
Move your wp-config.php file up one directory from the WordPress root. WordPress will look for it if it cannot be found in the main directory. Also, nobody else will be able to read the document unless they have SSH or FTP access.
Note that you should try this last step for new installations. If you Homepage might like to do it you need to change the table names within the database.
Change admin username and your WordPress password, or your password and collect and utilize other WordPress safety tips to keep hackers out!