It isn’t uncommon to see people claiming that certain software is the cause of their website being hacked based solely on malicious code being found in a file from the software. In reality, the files being impacted by malware usually have no connection with the cause of the hack. Instead, once the hacker has the ability to modify existing files, they can usually change any files. Sometimes hackers will modify all the files of a certain type. Other times, they will modify random files. They may also add new files in random locations.
There is one major exception to this. If a hacker gains access to the website through a vulnerability that allows uploading files to a certain location, then finding malicious files there is a strong indication that was the cause.
While the location of malicious code likely doesn’t tell you how the website was hacked, log files can go a long way to telling you that. That depends on having logging for the method of access the hacker used and that logging being available for when the website was hacked. If a hacker got in through FTP access, but you don’t have a log of that, then you are out of luck. If the hacker originally gotten in months ago, but the hack was only spotted recently, there is a good chance that logging is no longer available.
Even if you have logging available that would show the source of the hack, you need to be able to pick that out of the logging data. That is where having someone that deals with doing that on a regular basis will produce better results than trying to review the logging yourself.