The site wasn't damaged, but the hosting company deactivated the site until I removed the files.
I already deleted the malicious files and one entire theme, to get multiple files. And I changed my site owner password. I will update my WordPress admin passwords later.
I also added the secondary security measures from the guide.
Hopefully that will help keep this from happening. Kind of bad timing for my site to be taken down, because I just made a release to an app and I was going to release a post about it. Also, there are a few pages that the app uses.
Oh well, hopefully they are quick enough to bring it back up.
I guess I will mark this as resolved.