Hi @michalraph, sorry to see you’ve been having issues for such a long time.
I don’t know about everything that has been attempted each step of the way, but I can try to make some suggestions. If a site backup has been eventually used at every stage, there’s a possibility that the backup(s) already had some malware inserted that allows it to regenerate even if the site is completely reinstalled first. However, this might not apply if you’ve tried a complete rebuild with no reuse of previous content.
If you have tried installing entirely from scratch with no backup restore, a compromize could be coming from another attack vector. I would always recommend updating your passwords for your hosting control panel, FTP, WordPress admin users, and database no matter where you think the threat may have come from.
Our site cleaning instructions may have some steps that could’ve been missed or help you reference things you’ve already tried: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
As Wordfence sounds from your description like it’s detecting the malware, it could be worth speaking to your host to see if server logs or other access logs could point to a clear point of entry or suspicious activity.
XML-RPC requests are one of the most common brute force/credential stuffing attack methods so we always recommend using long unique passwords along with 2FA for your administrative accounts.
Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.
If you are unable to clean the site fully, Wordfence does offer a service if others haven’t been effective but ultimately that choice is yours. If you do wish to discuss this, I can’t go beyond our free plugin here on the forums so please contact presales @ wordfence . com.
Many thanks,
Peter.
