If you have access to your wordpress server via ssh, there some bash command that you can run to check if your files are infected with malware. This can be very helpful if you host a whole bund of sites on the same server.
Using Obfuscalp.
Obfuscalp is an open source php tool to finds and removes obfuscated suspicious/malicious code planted inside PHP and other scripts.
git clone https://github.com/Orbixx/Obfuscalp.git
cd Obfuscalp
php find.php /path/to/a/bunch/of/php/sites > infected.txt
...
Processed 3950000 files, found 30
Processed 3960000 files, found 30
Processed 3970000 files, found 30
php remove.php infected.txt
...
Processing file 28 of 30 (%93.33)
Processing file 29 of 30 (%96.66)
Processing file 30 of 30 (%100)
Find and delete any php files in upload folder
find wp-content/uploads/ -name "*.php" -type f -delete
remove text and html files
find . -name "*.txt" -type f -delete
find . -name "*.html" -type f -delete
look for .js.php extension files
find . -name "*.js.php" -type f
look for files that are updated in the last 60mins
find -iname "*.php" -type f -amin -60 # access time
Look for commonly injected scripts
find . -name "*.php" -type f -exec grep -q "function setCookie(a,b,c)" {} \; -print
find . -name "*.php" -type f -exec grep -q "@$GLOBALS[$GLOBALS['l8f127f'][89].$GLOBALS['l8f127f'][28].$GLOBALS['l8f127f'][22]" {} \; -print
find . -name "*.php" -type f -exec grep -q "\x47L\x4fBA\x4c\x53" {} \; -print
find . -name "*.php" -type f -exec grep -q "$sab=$_COOKIE;\x0d\x0a$jiu=$sab[qsll]" {} \; -print
Once you have clean all the files and backup, secure the files and directory with the correct permission.
find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
These are just some of the scripts that I used, I will be updating once I got some new sits to clean up.