Malware

How to find a vulnerability on a website?

I have been fighting a virus on the site for more than a week now.
There is a redirect in htaccess.
I look at access.log to which files there were requests. I see that with the IP, which as a result of the htaccess rules, there were requests for different files. Among them there are virus files that were not previously on the server - as far as I understand, one file allows you to upload files to the server, and the other allows you to get information about users from the database.
After requests for these files, the hacker installs the WP file manager plugin and uploads a new htaccess to the server through it. After that, he leaves.
I delete all the files he asked for, but before the end of the day they reappear in a new folder.
Changed passwords from the server, ftp and mysql.
Ai bolit does not find these virus files because they are written in pure code without encryption.
I installed different plugins for Wordpress for protection, even one of them should block access to the admin panel by country.
Nothing helps.
Give me some ideas, please, how to find a vulnerability?
Here is the access.log https://www.codepile.net/pile/p8BmY4OV - the last time a hacker entered with ip146.185.158.9 and 104.131.176.234 maybe I don't see something in the log ..
Very similar to the order - earlier there were many different I found viruses on other sites, but I didn’t encounter this .. The hacker not only put a redirect, but also sometimes removes different plugins.