Check permissions on all WP folders. Check the htaccess file. Delete any unknown files throughout your hosting area. (Carefully.) Change all of your hosting passwords (including FTP accounts; delete any you don’t know). Strong passwords!
Reinstall WP (from your admin – Dashboard, Updates). Reinstall all themes (deactivate, uninstall, reinstall, reactivate). Same for plugins (although header.php is probably in your theme files).
Lots of advice on the googles about recovering a hacked WP install (filter your search by ‘last year’).
You could also do a brand-new WP install in a separate folder on your hosting account. More work involved here, as you’ll need to adjust domain settings, copy data (Tools, Export, then Tools, Import), and re-do all theme and plugin settings.
Be wary of any plugins/themes that you recently installed. Make sure everything is current (WP, themes, plugins). Also check your local computer for weirdness (like updating local OS and apps).
Change passwords everywhere (hosting account, WP, databases, FTP, email) on hosting account. And locally on your computer.
Good luck.
Personal opinion follows
(BTW, I stopped using FileZilla a couple of years ago when I found out they stored credentials – user/pass – in a plain text file easily accessable on your local PC. Haven’t used them since, don’t know if they fixed it; back then they didn’t see that as a vuln. Use WinSCP now. Your mileage may vary.)