The site redirects to a poker page. Or Google warns visitors with a red screen. Unknown files appeared in wp-includes. It doesn't really matter exactly what happened; the cleanup process is the same.
Step 1: take the site offline
Maintenance page or block all traffic via .htaccess. Every minute the site stays up, it's potentially spreading malicious code to visitors. Act fast.
Step 2: back up everything
Yes, even the infected version. You may need to analyze exactly how they got in to prevent it from happening again.
Step 3: identify the breach
Run find . -mtime -7 -type f to find files changed in the last week. Search for base64-encoded PHP (base64_decode), eval() calls, and files with strange names in wp-includes or wp-admin. They shouldn't be there.
Check .htaccess for unauthorized redirect rules. Check wp-config.php for injected code at the top or bottom.
Step 4: clean up
Download a fresh copy of the exact same WordPress version. Replace wp-admin and wp-includes entirely. Go through wp-content manually: plugins and themes are replaced with fresh downloads, the uploads folder is reviewed file by file (PHP files have no business being in uploads).
Step 5: change everything
All passwords. Database, FTP, WordPress admin, hosting panel. All of them. Generate new salts in wp-config.php. If the attacker had database access, they may have created an admin user you don't see; check the users table directly in the database.
Step 6: prevent
Install Wordfence. Enable 2FA. Update everything that's outdated. And figure out how they got in, or it will happen again.