site got hacked, found 1 script, 1 remaining — no idea where it is

Hi all: one of our sites has been hacked despite file and folder access being restricted, and running the latest version 2.9.2. I spent several hours last night basically re-loading wordpress from scratch while keeping only key folders, re-loaded plugins from scratch as well, and removed a malicious user admin that even found its way into the control panel.

Still, by checking with https://www.unmaskparasites.com/ our site still has a couple of bad links and a script that is malicious. Do scripts find their way into the database? Or could it be in the uploads folder where I think there are just photos?? (I did take a look and did not find anything).

As I’m working to resolve this issue, we’d really appreciate some guidance. Our site is lay li ta dot com, all attached and contains 3 wordpress installs: lay li ta dot com / recipes, / recetas, and /recettes.

Thank you so much in advance!
Nick