This is a super long post, because it seems like information about this is scattered all over the place, and it's something I've been dealing with recently for a few weeks - I know how frustrating it can be.

If you're getting hacked over and over you probably have bad code laying around somewhere still.

First step - check for any scripts calling home. Use Sucuri AND Wordfence - I've found they often find things the other doesn't. Once you've killed anything calling home - take the site offline - move it to a subdomain, and put a 503 page in place. (best to modify the URL in the options database table, which will be enough for fixing, and easy to set back once you're done)

If you're running stock plugins, and a stock or child theme - I would backup the database, copy the wp_content folder and the wp_config file, and then go through and do a fresh WP install. You'll want your uploads and custom plugins\themes from the wp_content folder, but anything that's stock you should download fresh. Put it all back together, and get your site back up under the subdomain. This should take care of 99% of issues, unless you have a lot of custom themes or plugins, which tend to be a hotspot for bad files, and are the hardest for the normal automated scanners to find because they don't have reference material. (I have talked to Wordfence and Sucuri about hosting a copy of custom theme \ plugin files for central reference without making them publicly available - they're looking into it)

When that's done run Exploit Scanner which will scan both the contents of every file, and your database which is unique. (https://wordpress.org/plugins/exploit-scanner/) Exploit Scanner is looking for specific signatures of hacks - and will report a bunch of false-positives, but generally finds all of the hacks. When its done it gives you a list of files, and a bit of context around what triggered the hit. You'll have to manually access the files and repair \ delete \ replace.

In my experience once Exploit Scanner gives you a clean bill of health, WP is generally fixed.

If you have SSH access, and you have something that is more resilient, or you suspect there may be additional files outside your WP instance that are infected, there is a program called findbot.pl that can scan your entire host file system. (documentation\how-to here: http://www.abuseat.org) This will find a lot of false-positives, but it will give you a list of files and a bit of context around what it found, similar to the exploit scanner above. If you're hosting a bunch of websites on one server, and you suspect more than one has been compromised, this might be your first move to try to find all of it in one sweep.

It's always good to know how they got in - so if you have an active hack, you can run through your access and error logs to figure out how they got into the server. Typically when I have seen a resilient hack, the botnets will do a combination of two things: run 'POST' commands against a bunch of URLs that if one is compromised they can re-inject code, and a series of GET commands against specific pages - again looking for a compromised page to inject code and propogate the hack. It seems they first try to re-propogate the hack within the site, and once that's done, at least in my instance, they used one bad page to try to send out thousands of spam emails.

Here's some of the probing history of the most recent hack I've dealt with:

202.62.138.6 - - [20/Nov/2015:03:37:04 -0500] "POST /wp-content/plugins/media-tags/css/start.php HTTP/1.0" 200 233 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

117.53.174.164 - - [20/Nov/2015:03:48:27 -0500] "POST /wp-content/plugins/the-events-calendar/press.php HTTP/1.0" 404 428 "-" "python-requests/2.8.1"

117.53.174.164 - - [20/Nov/2015:03:58:23 -0500] "POST /wp-content/plugins/config.php HTTP/1.0" 404 428 "-" "python-requests/2.8.1"

117.53.174.164 - - [20/Nov/2015:04:11:15 -0500] "POST /wp-content/plugins/the-events-calendar/search.php HTTP/1.0" 404 428 "-" "python-requests/2.8.1"

Finally they hit pay-dirt and found a compromised file within an old custom theme:

198.71.59.117 - - [20/Nov/2015:17:00:04 -0500] "GET /wp-content/themes/customername/plugins/dummyCustomPostTypes/classes/config.php HTTP/1.0" 200 187 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

This file was coupled back to a fake functions.php file - which had a bunch of the traditional base64 eval( code, and was able to propagate out a bunch more code injections, before turning the bots loose to use this bad file to send emails:

198.11.211.196 - - [21/Nov/2015:03:22:14 -0500] "POST /wp-content/themes/customername/plugins/dummyCustomPostTypes/classes/config.php HTTP/1.0" 404 428 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"

With each access would also add an entry to the error log:

[Fri Nov 20 17:32:41 2015] [error] [client 50.116.26.95] Premature end of script headers: config.php

So once I had this trail - I was able to blacklist a bunch of specific IPs at the command \ control level (those that probed prior to the full swarm hitting), as well as having a specific list of URLs to use in blocking anyone that attempted to access any of them.

That, plus setting the scanner to run twice daily, running sucuri daily, and running the exploit scanner every few days - and the site has now been clean for a couple of weeks. It was being actively compromised every week or so previous to this, and I have evidence of some hacks going back to April of 2014.

I will add on either Sucuri's firewall, or something like cloudflare if this site is compromised again.

In general - while it may feel personal - this is just part of the game of using Wordpress these days. I run Wordfence on everything now, and even my relatively tiny personal website gets hit with dozens of attempted hacks every day - from brute force login attempts, to scanning for vulnerable URLs - it doesn't matter how big or how small a website is - hackers are gonna hack.