Wordpress site security issue

I can't seem to figure out where the hole is in my wordpress that causes a hacker to install some php files in some wordpress directories. The security plugin Wordfence, catches those files, but I can't seem to understand how this happens. Any help appreciated. Image attached that shows what Wordfence catches