Hopefully my findings will help other users.
A number of my sites were recently hacked.
I noticed that index.php filesize was much larger than the source wordpress file and when deleted / replaced it would regenerate / replace itself within seconds (as well at .htaccess).
Take a backup.
To stop the malware regenerating I put an .htaccess file (with the line below) in key folders, deleting the malware infected .htaccess
<Files *.php>deny from all</Files>
The malware had placed files such as radio.php, about.php, wp-confiig.php and infected index.php all over the site.
Delete these files where you find them noting that index.php in WordPress is about 405k – the malware loaded one was 1400k.
Install Wordfence or GOTML cleaners.
Clean and delete all infected files.
Delete all wordpress directores (wp-admin, wp-includes and wp files in the root) and do a clean install of WP core files.
Get your host to run a full malware scan.
Clean again.
Once clean backup and set a daily backup.
Keep scanning and keep an eye on Wordfence alerts.
Also if you use GOTMLS give the guy a donation – guys like him keep many of us safe.
Hope this helps others.