Manul - free antivirus for your website by Yandex

There is a folder in which they are uploaded, usually these are image uploads for posts (wp-content/uploads for wordpress)
So in this folder you need to kill the execution of scripts.
Add .htaccess file with content

Options None
Options +FollowSymLinks
RemoveHandler .php
AddType "text/html" .php .cgi .pl .fcgi .fpl .phtml .shtml .php2 .php3 .php4 .php5 .asp .jsp

Can use normal software without holes? You clean up the virus, but you don't close the hole. Maybe you downloaded scripts from a torrent, there are always viruses.
Use Aibolit, it will help in finding holes. Or contact its developer, he knows how to properly clean sites

1. Make sure that you DO NOT upload php scripts, from the word at all.
* Double-check all places where $_FILES is used.
* The rights of the created files are not higher than 644.
* Files with *.php extension must not end up in directories for uploaded files.
* When uploading, both extension and mime-type must be checked.
2. All your php files, with the exception of index.php, should not have permissions to run, 644 is quite normal.
3. Directories with php files should not have write access.
4. If you store the executable code in the database, don't do it.
5. Check the code for sql injections, everything that flies into the database must be checked.
6. Monitor suspicious traffic.

See HTTP, FTP and SSH access logs. In a very extreme case - full logging of traffic with subsequent analysis.

disable write permissions to all folders

clamav+maldet