First of all, check your computer for viruses :-)

They could also steal FTP passwords.

Look at the logs of POST requests to files. Especially for files with gibberish names, 404.php, index.php. If WP , then look at the JS folders of WP scripts, plugin and theme scripts, uploads, wp-content/languages ​​folders and subfolders. Also, check your computer, as mentioned above. If you have cleaned malicious files, then change FTP passwords and accesses. Install the "All in one WP security" plugin on the WP site, enable file change tracking there, reports will be sent to the mail.
plus here

Scan the site with AI-bolit , check the logs, as Alexander wrote above, update WP, disable plugins and themes if you downloaded them from dubious sources.

Viruses can "throw" you through holes in scripts (plugins). Check them out, update them.
Delete unnecessary ones.

Plugins and themes should be checked. The fact that add-ons are in the top does not mean at all that they are without bookmarks or corny full of holes.

Each case is individual, I would also change the passwords to the database. Recently, my clients come for cleaning whose viruses are poured directly into the database.
1. Updated plugins and WP
2. Cleaned up the theme with handles.
3. We dug and looked with our eyes at the code at the root and looked for extra files.
4. We put the captcha and hide all sorts of holes with our hands, if you don’t know how, then try to install the plugin.