Found some malicious files in the server’s file system. Mostly phishing files that I wouldn’t have known if I didn’t have to ftp some files.
So… Deleted everything and reloaded an old backup. Lost a few posts but that’s okay. Deleted all unused/ unnecessary plugins. Converted one to shortcode in the child theme and updated everything. As safe as it gets.
Anyway, pretty sure, the files weren’t uploaded via a compromised wordpress/plugin but a server vulnerability. The joys of shared hosting, eh?