I'm not sure about the rest of your site, but after updating the cms files, the cms portion will be ready to update to php7.
You definitely want to delete the haxor.php file, hopefully you don't have any more somewhere that would keep your security breached. Realistically I doubt the security hole is directly related to your php version. That sounds like a cop out by your hosting company, but clearing it out and using the latest version won't hurt.