One of my clients faced the same issue, they downloaded a theme from downloadfreethemes.co website. Following forensic examination, I found out that, ccode.php register itself as a plugin but hidden in the backend. It basically target add on traffic that is coming through search engines. It does not have access to SSH, SFTP or create uses or steal user/admin credentials.
To mitigate, let the Wordfence plugin scan outside of the WordPress directory and you will need to carry a sensitive full scan and delete the offending files or the lines of code suggested by Wordfence plugin.
