Firstly, if you have a backup make sure you wipe your slate clean and roll back to your backup to prevent any backdoors from remaining in your account. 

You should also change all your passwords, especially your FTP passwords and stop saving any passwords in your web browsers and FTP clients. 

After that, make sure that all Security Patches are already applied to your Magento store:-

https://www.magentocommerce.com/download

Finally, make sure that the themes and extensions that you use are secure and up to date. 

@stevensiuhung

Whatever JLHC, suggested you should do that. Apart from those things mentioned do following also.

1) Delete any suspecious files from magento root.

2) Do not use magento admin path as default admin, change it to some custom name.

3) Instead of using FTP use SFTP which is more secure.

4) Block downloader on the production site.

5) Delete all the unneccessary Magento admin users as well as roles created.

6) Use two factor authentication for the admin login or restrict admin login to particular ip addresses only.

7) Do not forget to apply all the recently released security patches released by Magento.

8) Also after rolling back to a backup version apply proper file and directory permissions.