I got hacked too this past weekend. And I installed WordFence as a countermeasure. Unfortunately it was too late. Like you, I noticed that WordFence doesn't detect .php (and .html) files that aren't part of the WP core, even if they have names that to a human eye obviously aren't part of a normal WP install.
If you've removed files and they come back, then, you're in trouble. They might be deep in your database, or they might have a backdoor still open to your site that will render your cleaning attempts useless.
No matter what you do please heed this warning: BACK UP YOUR POSTS NOW!!! Go to "Tools -> Export" and export everything. Take screen shots of your site, your WP dashboard and your plugins in case you need to reconstruct everything from scratch.
You never know when your site could be taken down completely, or shut down by your host because your hackers have turned your site into a brute force bot.
I had back-ups done through my host (Digital Ocean) they saved my behind. Do not rely on WordFence to protect your site any further - if files come back after you've cleaned them and WordFence isn't detecting them, your site is compromised beyond easy repair.