Although this is not the place for hacking questions … a quick look seems to indicate attempts to get database credentials, and to upload files that can be executed later.
One file it looks for (and tries to inlcude) is ‘command.php’. So take a look if that file is there. You could also look at the access logs to see if there was an attempt to upload that file name.
It also looks like it’s self-reinstalling, via some update functions. And other attempts to gather intel about the site.
So, the best thing for you to do is to protect the site. There are many googles/bings/ducks on how to clean up a WP site (or any site) – I’ve written one myself that I use.
But, in general:
- change all credentials – user/pass of database, ftp access, admin-level users, hosting credentials, etc. Strong passwords throughout.
- get rid of any user called ‘admin’. Create another admin-level user, log in to make sure all is OK, then reduce privs for the old ‘admin’ user.
- check for any new/unusual users – not just admin levels, but editor/author. Change passwords on all users, especially admins
- look for any unusual files (like the command.php) that shouldn’t be there. Look for ico files that aren’t really ico files (they might contain obfusticated code)
- look at all files to make sure they don’t have extra code. Especially index.php files, and all WP base files.
- make sure all theme/plugins are updated. In fact, make a list of themes/plugins in use, delete the files, then re-upload via FTP from new copies. Not just delete and reinstall. Deleting folders gets rid of extra files that a delete/reinstall/activate won’t get rid of.
- Consider a full reinstall of WP core files. Save your wp-config.php file, but reinstall everything else.
There’s some other tips – again, lots of googles/bings/ducks on cleaning sites. My tips are here: https://www.securitydawg.com/recovering-from-a-hacked-wordpress-site/ .