My first step is but I was helped by it. I had a good old style pity party. I cried and railed against the evil hackers (that where probably 13 and smarter then me.) And then I did before I started my site, what I should have done. And here is where I would like you to start. Learn how to protect yourself until you get hacked. The thing about fix wordpress malware scanner and why so many of us recommend it is because it is easy to learn. Unfortunately, that is also a detriment to the health of our websites. We need to learn how to put in a safety fence.
Essentially, it all will start with the fundamentals. Attempt using complex passwords. Use spaces, numbers, special characters, and letters and combine them to make a password that is unique. You could also use usernames that aren't obvious.
You should also place the"Anyone Can Register" in Settings/General to away, original site and you should have some type of spam plugin. Akismet is the one I use, the old standby, but there are lots of them nowadays.
Now we are getting into things specific to WordPress. You must rename it to config.php and modify the file config-sample.php, when you install WordPress. You need to set up the database facts there.
These are only a few of the things I do to secure my blogs. Thing is they don't need much time to do. These are also solutions, which can be done.