These settings definitely help blocking further attacks but I still can't stop thinking about the question though. I scanned the site and it only found 9% of the malicious files. To be fare this 9% was the best result I got because my hosting company Siteground scanned the site and said it's clean. In my reply I pointed out a malicious file and asked why didn't they find that file? This time their reply took a lot longer and they said that the file was malicious and if I would like to order a paid service to go over the files but no reply or explanation why they use scanning which doesn't work. I also learned that hosting provider in Estonia (ZONE.eu) scanned and found about 1% of the malicious files. These past few weeks I have worked on so many hacked sites that it's pretty terrifying. How could you be sure that your site is clean from malware if the scans fail to find malicious files? Some files are easily recognizable as malicious but I found some files that looked like part of the system. And I also pumped into something similar on one of the sites that they describe in this article: http://www.csoonline.com/article/2921138/malware-cybercrime/unusual-wordpress-attack-steals-login-credentials.html
I can't imaginge how many sites might actually be infected if the hosting provider, security plugins, outside scans fail to report the problem.
So my question was that why don't the scans recognize the malicious files? How could people help these programs become smarter?