Cleaning up a hacked WP site is normally fairly simple done by reverting to a version before the hack which can be done by backups.
Hacks normally involve either actually modifying the WP/Theme/Plugin code directly, or by getting into the database. So a restore would involve a full restore of both the database and the WP/Theme/Plugin files.
If the site has users with logins, that can be a source of the breakin, and forcing a reset of that login info might be necessary in he worst case.
Using Wordfence generally keeps an ordinary site pretty save as it can detect added or changed files that aren’t normally part of WordPress. It also does some login checking.
If you ever get a denial of service attack, that is a completely different animal than actual site hacking, but can be prevented by using Cloudflare or other similar service. I’ve experienced a denial of service attack a couple of times, and Cloudflare blocked it very quickly. The basic Cloudflare service is free.