You cant trust any files in hacked site, hackers always hacker tools in multiple locations. So even if you upgrade WordPress and deleted hacker files, there is a chance your web site get hacked again.

You can’t trust files from hacked site. Hackers hide files inside your site, so they can gain access even after you clean your web site.

If your site is hacked, always rename public_html folder, create a new folder. Upload fresh copy of WordPress files, themes and plugins that are downloaded from original source (don’t upload from your backup as it can be outdated or even contain the vulnerability that allowed site to be hacked).

You may need to use these files from hacked site. Most hackers expect you just copy it back to LIVE site. So they hide hacker tools, that allow them to hack the site again.

So when you copy upload folder back, make sure no PHP/CGI scripts present in the folder.

Consider Disable PHP Execution in WordPress Uploads Folder

When a site get hacked, hacker get MySQL password from config files.

So even if you replace all files with secure files, close all vulnerability with script, they can gain access with MySQL password.

Always change MYSQL password when you secure your web site.

Many hackers add new user to WordPress that have admin privileges. Make sure you change password for all WordPress users that have privileges to make post.

You can use Folder Protection feature in Cpanel to set password for wp-admin folder.

Another option is to use .htaccess file to limit access to wp-admin folder to your IP. If your IP changes, you can use IP RANGE.