in general, some kind of backtrack is installed

Wordpress is quite often hacked, and mostly due to installed add-ons that the user does not update. In December, a vulnerability was found in a popular module (a text editor, I don’t remember exactly which one), through which bots upload shells to servers.
If you really uploaded it through a vulnerability in Wordpress or its add-on, then you can search through files using find, something like this:
find /WWWDIR \( -name "*.php" -o -name "*.html" -o -name "* .htm" \) -exec egrep -Hni 'gzinflate\(base64_decode|eval\(base64_decodeshell_exece|doced_46esab|eval\(' {} \; | cut -c 1-150
WWWDIR — directory where your site is located.
I advise you to check in the Apache settings (if there is no nginx distributing statics in front of it), whether there are files like *.png, *.html, etc. x-httpd-php Aplication Type, and also check in .htaccess via find
find /WWWDIR -name ".htaccess" -exec egrep -iHnr 'application\/x-httpd-php .*(gif|html|jpeg| jpg|doc|txt)' {} \;
You can scan just do all the files.
If you have a lot of sites on your Apache server and they all work as a single user, you need to scan all sites :)
If it was hacked via ssh, it’s harder, in any case, it’s worth checking who was last connected to the server and from where.
Yes, it is desirable to have access to the server via ssh :)

install snoopy, if a live person does ssh with his paws, it will light up.
If via http, carefully read the web server logs.

Fighting hackers on the server is easy: set up a firewall, regularly update all software (especially the one that looks outwards), set up an intrusion detection system, read logs, read the security mailings of the software you use. If you do not know how, or there is no way to hire a competent specialist, then give up, you will not succeed. THERE WILL BE NO BALLS! And in a nutshell to describe the solution to your problem here in the comments is unlikely to succeed.

If there was a rootkit on the server, then the author of the topic would not have found anything.
By all external signs, a robot is working that does not have root rights.
The most likely scenario is that an automatic scanner found a leaky wordpress, flooded it, flooded the standard set, like some kind of irc server thread. Launched as the user from which the web server is running.
It is possible that the entry in the crontab is registered from him.
Check all processes started by the user from which you are running the web server. I'm sure you'll find something weird like apache3 or crond.
Such compromises have already passed through me with two dozen.

no one will do anything at your personal request, there would be a chance if you were in the same country, otherwise it’s a dead number, IP in general is most likely a VPN, the Netherlands is a very popular country with tons of double / triple and so on VPN offers. The maximum that they can do after a request from official bodies (which is again almost impossible to achieve) is to close this vpn account for him and make a new one :) hopelessness

If I were you, I would first try to determine how these actions are performed, for this I would enable additional logging, and would look for events in the logs with the time the file was modified. If it's a script, then it would parse its contents. It is difficult to give any recommendations without knowing the exact task, unfortunately.

First of all, update Wordpress and all its modules. Change passwords to the server. Save the logs of the web server, ftp daemon, auth.log (ssh logins)
Second, take a closer look at the web server logs. get the information you need. Namely, attempts to flood the web shell. You can navigate by the time of creation / modification of files in the web shell
. Thirdly, send the “necessary” cutting from the logs as an abuse. Where to send - you will find information in whois'e by ip. Look at technical/abuse contacts.
Fourthly, put the police of the country to which the individual entrepreneur belongs to the copy of the abuza letter. This will speed up the consideration of the abuse
- Then improvise

Something seems to me that they break you not through the holes of WordPress, but stupidly through FTP.

You may have a rootkit on your server. That is, the attacker has gained full access to the server with administrator rights, and no matter what you do, he can change it at any time. There is only one way to deal with rootkits - ask the host to completely clean the disk and install a new version of the operating system from scratch (after which you will need to install and configure the web server and return all files with code and data to their place). That is, if you have a rootkit, you will have to spend time and money.
If there is no rootkit, then the situation is better. In this case, most likely, you have a backdoor left, but it does not give administrator rights. It is necessary to double-check all files with the code for changes, delete everything suspicious. Recheck all configs for changes. After that, monitor the logs to see through which vulnerability the attacker gets to the server. Logs, of course, not only the web server, but also auth.log, cron logs (since an attacker could leave his script in the crontab). A thorough check, again, will take time and money.
By the way, a backdoor can also be hidden, for example, in a WordPress theme or plugin - there are such cases.
> since the admin could not even provide IP addresses, he says there is nothing in the server logs, it is not clear where to look in the http logs
Most likely, he is simply not qualified for the task.
Also, to combat vulnerabilities in web scripts, you can try to apply various restrictions on the server like safe_mode, disable_functions, but these are all crutches, in a good way, you should not install dubious open source scripts in an openly accessible folder.
>. The IP of this server is in the Netherlands, most likely it has a proxy or some kind of backtrack installed there. I didn't find this server in public proxy lists, I think it's my own. And on this I ran into a wall, and now I can not imagine what to do next.
Of course, you can write a complaint to that hoster in the Netherlands (by attaching logs where you can see when they visited yours from this server), but this may turn out to be a bulletproof (that is, created by criminals) hosting that will not give out its own. In this case, only law enforcement agencies can help you. but would they want to do it? Unlikely.

Install wordfence. It checks the hashes of the files against the repository to get rid of the problem of system files being modified by the wicked.