I have many websites built on WordPress by different customers, We have noticed mass compromisation on the sites by adding codes in the wp-config file. Even I have checked many accounts having suspicious files, Scanned with ClamAV it shows them as Malware but even after them, they come back after a few days.