My first step is but I was helped by it. I had a fantastic old style pity party. I cried and railed against the evil hackers (that where probably 13 and smarter then me) And I did what I should have done before I started my website. And here is where I would like you to start. Learn how to protect yourself before you get hacked. The beautiful thing about clean hacked wordpress site and why so many of us recommend because it is easy to learn it is. Unfortunately, that is also a detriment to the health of our sites. We need to learn how to put in a safety fence around our site.
You can search for software that will backup your files and database. If hackers suddenly hack your website, it is easy to restore your website by means of your files and change.
This is quite handy plugin, protecting you against brute-force password-crack attacks. It keeps track of the IP address of every failed login attempt. You can configure the plugin to disable login attempts when a certain number of failed attempts is reached.
Can you view that folder what if you visit WP-Content/plugins? If so, upload this blank Index.html file into that folder as well so people visit this website can not see what plugins you have. Because even if your version of WordPress is current, if you are using a plugin or an old plugin with a security hole, someone can use that to get access.
However, I advise that you install the Login LockDown plugin instead of any.htaccess controls. From being permitted after three unsuccessful login attempts from a certain IP address for one hour, login requests will stop. If you do so, you may still access your panel whilst and yet you still have protection against hackers.