FYI .htaccess and wp-config.php file permission can be safely and more securely set to 444. It's one of the steps that the iThemes Security plugin takes to secure a site (a highly recommended free plugin).
After a hack I usually delete and replace all WordPress core files and folders except the wp-content folder. Then I download current versions of all plugins and delete and replace those folders. If working with a theme that hasn't been customized - download and replace that too. Then manually scan any theme customizations/child theme folder and then the uploads folder. This assumes that everything was kept current. Then I install iThemes Security and secure the site going forward.
As you've done - always a good idea to reset all passwords for WordPress and the hosting account. Passwords that are not even close to being secure enough are a hackers dream. I always use a password generator set at a minimum of 15 characters - Symantecs is good