Once the site is hacked, in my opinion, resistance is futile. No scan or tool will help you. you'll have to replace all files with fresh downloads. mostly it's straight forward:
- Backup the whole installation (just in case)
- Download the complete wp-content/uploads folder
- Make a Screenshot or save the page with the currently active plugins
- Delete ALL files
- Get a fresh WordPress setup and extract it
- Secure your WordPress folder via .htaccess (https://gist.github.com/tdwebservices-official/22d11da05260a04541f4a66112031ba9)
- Download a fresh copy of your theme and child theme (recreate the previous setup)
- Copy the previous wp-config.php to this fresh install. but take a GOOD look at it. usually, it also has some virus/backdoors in it. usually easy to see and remove. now you're already connected with your DB
- Examine the saved uploads folder for files that shouldn't be there, like PHP files. then upload it to the new folder
- Reinstall all plugins, fresh downloads
- Cleaning the injected code, manually
- Changing all the passwords
- Hiding the WP admin dashboard URL
- Limiting the login attempts
- Installing security plugins (Wordfence security)
- Installing Cloudflare