Persistent problem with backdoor malware

I have taken over a WordPress site which has a persistent problem with a kind of backdoor malware infection which I am having difficulty rooting out. I do regular WordFence scans which find and repair the infected files, but I really want to stop the problem occurring at all. I have their web application firewall working but that is not stopping the problem.
The result of the infection is that website users get redirected to miscellaneous other sites. What happens is that somehow various core files get injected with some code which loads another file which may be located anywhere in the installation. Quite often files called ‘index.php’ are created with the ‘.tmb’ and ‘.quarantine’ directories, and also rogue directories names ‘mbsys0v’ and ‘p1q4kwve’ are created at the root level.
There are only two users with Admin rights in the system (one of which is me) so it’s not coming from them, and I’ve done a pretty thorough purge of all plugins, ensuring that all remaining plugins are up to date.
How should I go about troubleshooting this? What do I need to do to clean this up once and for all?