Have a great problem, in title wordpress site sometimes (random) added inject code (screenshoot).
After code added site redirection on page with banners.
Change server pass, change users pass, add google authentification and change enter point (not wp-login.php), but inject work everyday. Wordpress 4.9.4.
How stop it?
I would diagnose/fix as if there was a hack of your system. Lots of references in the googles about that.
But my technique is to change credentials on everything (hosting, wp admin users, database, FTP users), reinstall/upgrade everything (WP via the Upgrades page, plugins and themes via manual FTP transfer), check Child Theme code (if any), and then look for rouge files in all site folders manually. Including hidden files (check htaccess files everywhere).
Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.