some basics on wordpress hackers
Found this useful comment on Reddit:
It seems that it is an apache vulnerability: if the site needs to be writable to write file uploads, then apache can be told to write a script into one of those writable folders, such as wp-content. Set the edit permissions on the site to mode 755 -R until you want to upload something. Wordfence however needs its cache to be writable so set that to 777. Meaning you can basically then assume that the "Viruses" will only appear in there.
The "viruses" are almost ALWAYS seven or eight gibberish characters followed by php. Such as ubzrvgwk.php or ivpuudgx.php. Generally if you run find -name "????????.php" on the folder you'll see non-english filenames and if you view them they contain attack code. Delete them.
Install wordfence-cli and get a wordfence API key. Then run it as follows:python wordfence-cli/main.py scan /var/www/
Every day just login and delete stray admin accounts if you see them. Look at your posts for javascript video icons, those are the viruses that spam your site.
The problem fundamentally is the wordpress database password is cleartext in a known file location so any uploaded script can just read that and run any sql command. Wordpress seriously needs to use password shadowing or something.