My website (wordpress) was hacked.

A lot of files including .htaccess was modified  from IP address 76.111.250.149. The file google_verify.php was also uploaded from that login. If you login the webpage, a malicious script was attached at the bottom of each page.

[Edit: Removed the potentially malicious script to conform with Participation Guidelines  and Terms of Service ] 

After I updated the whole wordpress files, the most page bacame normal. No malicious script. But when I access admin page, the script still appears on the source page.

Everytime I access the page with malicous script, a remote attach was detected by Nornon as blackhole toolkit website 5 attack. The attacker's IP is 95.85.149.31

Anyone knows what's the hack and attack for?