Ideas: Country blocking, add known exploit file names to the Wordfence "Immediately block IP's that access these URLs: Set strict rules on everything, use a minimal number of plugins, install a login URL obfuscation plugin, learn how to use .htaccess and your server firewall, install a honey trap in the website (hidden link to a nonexistent file that you add to the "Immediately block IP's" and list in robots.txt so you don't accidentally block Googlebot, watch webmaster tools for problems, use your server logs to get a sense of how everything is working, if you have a client they should expect you to know how to do all this and more.
Firstly, be sure you have a backup system that makes it easy to wipe and restore the entire website. That's the best way to cure an infection. If you don't have that, then in my opinion you're not providing your client with what they should be expecting.
Enjoy the financial rewards of being paid for the extra hours doing all this stuff?
MTN