Use the online RedLeg fileviewer to scan the website in question for malware, malicious redirects, malicious scripts and other bad stuff.

Use the online deobfuscate javascript tool to deobfuscate javascript if scripts have been hidden.

Some good practises to keep your website free from hacks:

• Update WordPress to the latest version
• Web-server hosting WordPress should be up-to-date
• Default admin login credentials (username/password) should be changed to unique and strong credentials
• FTP server must have strong credentials
• Use SFTP for file transfer to web servers
• Maintain proper directory/files permission to WordPress files
• Backup your website daily
• Secure your wp-config.php file
• Disable file editing in the dashboard by adding the following to your wp-config.php file
  define (‘DISALLOW_FILE_EDIT’, true);
• Install WordPress File Monitor Plus to receive notifications every time your files are edited