The first step is to identify how the hackers gained access and to remove that vector.
It could be an insecure server, software on the server, a compromised account, etc.
Next you need to check if any malicious files have been uploaded or any of the core files edited.
That may require doing a restore from a known good backup and in the worst case, could even require a server rebuild.