Hacked Site Investigation

If you do want to get to the bottom of it. Hire someone that can do some analysis. But you'll need to preserve the site as-is. So suspend it or lock it down. Change the domain on it. Then clone it to the original domain, clean it up, and then you at least have the production online and a copy of the hacked site.

It's important to keep the files and logs untouched on the hacked instance so the person investigating can trace out modified dates and such.

This is where 7G isn't going to help much. But an application WAF like Wordfence or Patchstack will. Live patching and some decent 7G type logic, or even better as it's exposed to more of the application than 7G.