There is a canonical question entitled "How do I deal with a compromised server?". Since you are on a shared host, there are some limitations to what you can do. I still strongly recommend you to read the full accepted answer.
Below I will discuss how this applies to your situation (i.e. on a shared hosting). Quotes are from the mentioned answer.
1. Take your site down.
Whatever other problems you have, leaving the system connected to the web will only allow the attack to continue.
You can not know for sure that you have removed all infections. At this very moment you might unkowingly be spreading malware to your users!
2. Damage control.
Change all your passwords for all accounts on all computers that are on the same network as the compromised systems.
Check your other systems. Pay special attention to other Internet facing services, and to those that hold financial or other commercially sensitive data.
If the system holds anyone's personal data, immediately inform the person responsible for data protection (if that's not you) and URGE a full disclosure.
3. Try to figure out what happend.
If you just put your site back up as it were, the same thing will just happend again. You need to try to understand what went wrong.
With shared hosting this can be hard, since it is possible that the hackers used an exploit in the server software itself or in some other persons account. You will need to contact your hosting provider and get them to help you with this. It can not be taken for granted that they will cooperate. If they do not, I recommend you to read your contract and possibly contact a lawyer to find out what rights you have.
However, you can examine some things on your own - namely your own site. Go through all the software you run (WordPress, Magento etc). Are you running the latest versions? Are you running any plugins? Are there any known security holes in the versions or plugins you are running? Especially WordPress plugins are frequent offenders when it comes to security.
There is some limited forensics you can do on your own. If you have backups, compare them to see what files have been changed at what time. The injected JavaScript you discovered might not be the only thing the attackers changed. There might have been multiple changes at multiple times (possibly by multiple attackers), so you can not know for sure that the date when the JavaScript files were changed was the date of the initial breach.
Especially if you run a lot of your own code, you might want to do a more detailed pentest to find any vulnerabilities.
4. Consider new hosting.
Especially if the breach was "their fault" or they did not help you to determine the cause of the breach, it might be time to move to new hosting. As others have mentioned, a VPS is more secure but can also require more effort on your part to run.
5. Get your site back up again.
Restore static files from a backup before the breach. Reinstall all software, and only use the latest versions. So dont just copy paste the files from your old vulnerable WordPress installation back up to the server from a backup.
And obviously, fix any problems discovered during step #3.