The type of hack can be different. There are variants that you notice immediately and others that run in the background, so that you rarely notice them, unless you regularly check all subpages of a website.
How: The procedure is often the same, vulnerabilities in outdated WordPress version or an outdated plugin can ensure that hackers get on the website. Also outdated scripts in purchased themes can be a cause. Often, a hacker is also not targeted to a website, but uses tools that common security vulnerabilities in websites tried to spy and when a hit automatically infiltrate this website. This often results in script injections, i.e. the insertion of scripts that either read user data or redirect website visitors to other websites. In the worst case, malware is deposited on the website, which the visitor inadvertently downloads.
In general, if a website has been hacked, ideally a backup should be made and then the system updated. Changing all access data (backend, database, etc.) is also important.
Search: If you want to search for the problem, a general guide is not possible, because these scripts or malicious code can be stored anywhere. In an existing file, in a new file or directly in the database. It is helpful if you have found the problematic code e.g. in the source code, so that you already know what to look for. One possibility is to search on the server for files whose modification date matches the hack date, provided that you can determine the exact time period of the hack with some degree of certainty.
Helpful in the search can be https://sitecheck.sucuri.net/, in addition, there is also a WordPress plugin for this. I also had good experiences with the Quttera Web Malware Scanner https://wordpress.org/plugins/quttera-web-malware-scanner/. Often you can determine the problematic file or files or at least give an approximate hint about it.