Most of the times, hacked WordPress sites usually have backdoor files. These backdoor files are often disguised as core WordPress files and are placed in /wp-includes/ or /wp-content/uploads/folders.
An easy way to improve your WordPress security is by disabling PHP execution for some WordPress directories.
How to Disable PHP Execution in WordPress Directories
Create a blank .htaccess file and paste this code inside it:
<Files *.php> deny from all </Files>
Then upload this file to /wp-content/uploads/ and /wp-includes/ directories.