I would:
1. Scan your local machine for vulnerabilities.
2. Change all your passwords as a precaution: backend, cPanel, FTP.
3. Contact your host to see if there are any similar issues occurring on your server.
4. Work through the Hardening Wordpress codex.
5. Monitor the situation over the next few weeks using the Wordfence scans to check if the issue has been resolved.
Good luck!