Well, best solution would be to backup databases and clean everything and install up to date versions. But as I don’t know what they used to break in or how you install your software (you put in your own stuff or the hosting company provides the software?)
The thing is, when there’s a break in they hide a bunch of stiff. That’s why its best to clean everything. Try to look hidden files, but in some break ins they can actually manage to hide all that.
If you can’t do that, well look for new users added into the database and modify every password.

For the future, always try to update software to latest versions.