More information. Looking at emails I overlooked.
All sites the night of or before the hack were accessed by:
A user with username " " who has administrator access signed in to your WordPress site.
User IP: 94.136.150.28
Sent by Wordfence.
That IP above is NOT ME.
How does anyone have a user name with " " and have admin access to all of my sites?