This could be happening for a number of reasons. You probably have some old, vulnerable code on your site, but finding exactly what it is may be difficult. It is likely a plugin or theme, though it could also be vulnerable code elsewhere in your account (not necessarily in the affected WordPress site). Another possibility is that your hosting username and password have been compromised through malware on a machine you used to access your account. For this reason, I suggest you update anti-virus software and update the passwords associated with your GoDaddy.com hosting account and your WordPress site.
As for fixing your site, the best way to address this is to completely clear your account of all files and install a fresh instance of WordPress so you know it’s clean. Before you clear the files, you would backup your site’s database, the uploads folder, and any other files you customized (like your theme’s css files). Check the uploads folder to make sure only images (and any other file you might have uploaded for your site) are there. If you find rogue php files, they should be cleared too.
If you’d prefer that Go Daddy’s Security Team investigate the cause and assist you with cleansing the site, we do offer a Security Scanner service. You can learn more about this service at https://x.co/bPMW
