For starters, you have absolutely no firewall rules or login security going. If anything does get blocked it is only blocked for 5 minutes. I would highly advise changing that. I am emailing you screenshots of both sets that I use on production sites.
I also advise scanning theme and plugin files against the wordpress repository for changes as that catches those files that have been altered or added to.
The following are go-to options I add to all my production sites, many of which I did not see enabled on your site.
- Scan for signatures of known malicious files
- Scan file contents for backdoors, trojans and suspicious code
- Scan options table
- Scan files outside your WordPress installation
- Scan image files as if they were executable
- Disable Code Execution for Uploads directory
Wordfence is pretty good out of the box but it does require setting options if you want to catch everything.
Let me know if you had any other questions. I am always happy to help.
tim