Hi @farhannaseem
Please follow our site cleaning guide below:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
To prevent unauthorised logins please do the following:
1) Make sure all admin accounts and those with high-level access. e.g. with publisher access, use a very strong password – WordPress can auto-generate a very strong password for you on an account page.
We recommend that all users with high-level access use a password manager such as 1password.com to store their complex passwords that are exceedingly difficult to remember.
2) Set our recommended brute force protection rules. Instructions are in the link below. You can quickly find these options in the Brute Force Protection section on the All Options page:
https://www.wordfence.com/help/firewall/brute-force/
These rules also protect the WordPress XML-RPC interface:
https://www.wordfence.com/blog/2017/01/xmlrpc-wp-login-brute-force/
3) Enable two-factor authentication for administrators and those with high-level access e.g. with publisher access. This feature is on the Login Security page. Instructions are in the link below:
https://www.wordfence.com/help/tools/two-factor-authentication/
4) If there are a large amount of login attempts for the same username coming from a large pool of IP addresses then you can also enable the Google reCAPTCHA feature found on the Login Security >> Settings page.
https://www.wordfence.com/help/login-security/#captcha-options
