Hi,
Wordfence is an awesome tool for checking your site, though it has it's limits. Though the plugin may find "some" exploitation scripts, it likely will not locate all.
You really need to dig in on your own and work through the list above and spend some time reviewing your site files for "files out of place."
1.
Change all WordPress related passwords, including your email account password.
2.
Ask your host to run a full malware scan on your site to help you ID those scripts sending junk email and the like.
3.
Invest in some good monitoring once all back in place, like Sucuri, HackGuard dot com, CodeGuard, 6Scan, or other site monitor services. Most are $10 or fewer a month and well worth the price of admission for a few months.