Hi there,
There are many reasons a WordPress site gets hacked.
Most of the time, it’s due to an insecure shared hosting environment. There might be a back door into your server somewhere, and it could be due to another site sharing your server. That’s the problem with shared hosting.
There’s tons of information out there you can find that will show you how to clean up a hack, and prevent them in the future.
https://sucuri.net/guides/how-to-clean-hacked-wordpress
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
https://premium.wpmudev.org/blog/cleaning-up-after-wordpress-hack/
There’s tons more out there if you search for them.
What I do to prevent hackers:
1. Keep WordPress, plugins and themes up to date.
2. Make sure my server is always up to date with the latest PHP/modules.
3. I personally like iThemes Security Pro as my security plugin.
Hope this helps!