Hi there,
This can happen to WordPress sites for a couple reasons.
a) The quality/security of your hosting. For example, GoDaddy shared hosting gets hacked quite frequently in my experience.
b) WordPress/plugins/themes haven’t been kept up to date. WordPress is always releasing security updates that patch security holes that hackers find.
What you can do:
Contact your host and ask them to remove the affected files. Then change all of your passwords and login to WordPress to perform all updates.
If it happens again, I would consider looking for a new hosting company.
Let me know if you have any questions!