My first step is but it helped me. I had a good old style pity party. I cried and railed against the evil hackers (that where probably 13 and smarter then me.) And I did before I started my site, what I should have done. And here is where I would like you to start. Learn hacked. The attractive thing about repair hacked wordpress site and why so many people recommend because it is really easy to learn it is. That is also a detriment to the health of our websites. We need to learn how to add a safety fence.
Should the server of your site go now go down, everything you have worked for will go with it. You will make no sales, get no traffic or signups to your website, until you have the website back up again and in short, you're out of business.
Yes, you need to do regular backups of your site. I recommend at least a weekly database backup and a monthly "full" backup. More, if possible. Definitely more if you make additions and changes to your site. If you have a community of people that are in there all the time, or make changes multiple times every day, a backup should be a minimum.
In addition to adding a secret key to your wp-config.php file, also think about changing your user password to something that is strong and unique. A good tip is to avoid common phrases, use upper and lowercase letters, and include amounts, although you will be told the strength of your password by wordPress. It's also a good idea to change your password frequently - say once.
Just ensure that you may schedule, and you decide on a plugin that is up to date with the current version and release of WordPress, restore click and replicate.