Note: Please ensure to back up website before doing anything

1. Check all the infected files and remove them from the cpanel.
2. Check CMS side of the website, if there are unexpected plugins/modules as code added.
3. Check the registered users and confirm them with clients. Delete the unknown users account.
4. Change admin username and password for CMS.
5. Check all the payments methods and confirm them with client for each payment method (PayPal, Eway etc.)
6. Remove additional URL’s from WordPress in CMS side.
7. Check cpanel/unders and emails also add forwarded emails and confirm with client.
8. Change the CMS access URL eg. /admin etc.
9. Keep checking front-end impact on website.
10. Keep focusing on URL’s re-directs.