I hate to ask, but who are you hosting with, and is it shared hosting? If so, particularly with shared hosting there could well be some vulnerabilities in the hosting itself, with nothing you can do at your end.
I got caught like this a couple of times till I moved host. Eventually the host admitted that the hacks were coming because a member of staffs computer had a keystroke logger that allowed the hackers access. edit - and I notice you're using the same host. They really should sort themselves out.
Having said that - there are a couple of things you need to do. First and foremost regenerate and reload the salts in your wp-config.php file. This will force anyone logged on still to log off. Use this site to generate the code you need
https://api.wordpress.org/secret-key/1.1/salt/
2. Delete any users you don't recognise
3. Delete any plugins and theme you don't use.
Most script attacks hide backdoors in files that aren't routinely updated when you update wordpress. Wp-Config for example, or add another file that looks like to should be there, but in reality shouldn't.
This script will fix any script injection attacks, that insert code using base_64decode, but be careful with it. Its worth what you paid and some free themes use this function which means it'll stop that theme working
Site remediated by <a href="http://sucuri.net">Sucuri</a><br />
This script will clean the malware from this attack:
<a href="http://sucuri.net/malware/entry/MW:MROBH:1">http://sucuri.net/malware/entry/MW:MROBH:1</a>
<br />
<br />
If you need help, contact
support@sucuri.net or visit us at <a href="http://sucuri.net/">
Sucuri.net</a>
<br />
<br />
<?php
set_time_limit(0);
$dir = "./";
$rmcode = `find $dir -name "*.php" -type f |xargs sed -i 's#<?php /\*\*/ eval(base64_decode("aWY.*?>##g' 2>&1`;
echo "Malware removed.<br />\n";
$emptyline = `find $dir -name "*.php" -type f | xargs sed -i '/./,$!d' 2>&1`;
echo "Empty lines removed.<br />\n";
?>
<br />
Completed.