SEO best practice fo a Wordpress Site got hacked

Hi, guys!

Yesterday a friend called me telling that her site was hacked and now has 400k+ e-commerce pages that don't belong to the site, and these pages are now indexed by google and she can see them in Search Console.

She cancelled all the pages that now give 404 error.

She asked me how to make 301 redirect for all those pages.

I advised her against the redirects, and suggested:

1 - First of all, find the vulnerability (they have 100+ plugin installed, most of which she doesn't even use, maybe one of them was infected?) and try to cancelled it;

2 - After that, disallow all the subfolders containing the fake pages in the robots.txt

Is that all? Now she has to wait that Google deindexes all those pages or she has to do something elese?

I know there is a command in search console to try to deindex pages but reading on internet not all SEOs suggest to use it...

What are the best practices in these cases?

Thank you all!

P.S.

Sorry for my poor english