if there is a backup or the original code is not uploaded to the server - download and check for matching files (for starters, at least in size). If everything is ok - check for availability more seriously, check file modification dates on the server, check for content matches, somewhere a utility for checking file hashes flashed, google it.

And how can you be sure that the web-shell is located exactly in the files?!)
It can also be in the database.
The best option (if there is no "clean" copy of the backup): logging incoming and outgoing requests marked "good" packets, all "bad" - block and alert to mail.
All incoming requests must go to a single entry point to the application: we configure this filter there.
PHP security tips

https://www.revision.com/ai/

1. The first thing to do is to set normal rights to files and directories:

#для директорий
find /path/to/dir/ -type d -exec chmod 775 {} \;
#для файлов
find /path/to/dir/ -type f -exec chmod 664 {} \;

The process may take a long time, depending on the number of files.
2. Access to the admin panel should be limited to entering only from a specific IP (htaccess to help).
3. look at the structure of the entire site, and find a possible place where malware can be located
4. open the web server logs, and review what resources are being accessed, there may be a hint where and what to look for.
ps I will add that most of the problems on the site arise due to incorrect file permissions. a shell is poured and a bunch of third-party ones appear on your site ... I got one site like that ... I accidentally scored a domain in Google and received in response more than 10 pages that the attackers used to spread their virus ...

I also had such questions. To begin with, I decided to introduce control over changes to CMS files on the hosting. For this, I found a good solution SANTI . The solution is free.
As part of a lot of additional buns in the form of backups and self-healing. I've been using for a couple of months. The flight is normal.