I guess the malicious code in the header starts with a php declaration
THEN you will probably find malicious code in the top of your htaccess, starting and ending with something like this: #336698. Delete everything.
Change password to your control panel, database user (make them STRONG) and of course your admin account. Generate a new salt code and change in wp-config.
Then you will probably find a lot of php.ini files in almost every folder. Delete them. Your will also find php_errorlog(s) scatterede around. Delete them.
Then you must re-download wordpress and your theme and your plugins. Start with your theme. Delete every file and upload fresh files. Do the same with wordpress, but be sure that your don't delete your wp-config. Then do the same with plugins. Deactivate and delete and re-upload and activate.
Open your wp-config and compare it with the sample wp-config. Any BIG differences? Be sure that no malicious code is left.
Delete ALL .TXT and readme.html and liscence-files. (They provide hackers with detailed information about the versions of your wordpress and plugins, so they can use known vulnerabilities in order to destroy your site).
THEN you should add some serious htaccess-rules. Read more here:
OR you could install some security plugins like bulletproof security or wordfence. Go for the pro verisons, it will not cost you antyhing compared to the time and hassle spent on cleaning your site.
With all these tasks accomplished, everything might be fine. For the future: Be SURE that you ALWAYS have the latest WP running and that you ALWAYS have the latest versions of plugins. When an update is ready, you should install it immediately.