thanks for both replies,
The plugins were removed immediately, I was not for a second fooled by them and I removed the admin users that were created, I did have an anti malware and brute force plugin installed but clearly it failed miserably (So i shall not be naming it) will be goign with wordfence and whatever else I find thats highly rated.
The problem is though, these hacks are supposed to leave hidden code around the site, the wp-uploads is clean, wp-includes looked clean wp-config and index.php were also fine but aside from that its practically impossible to find it manually. My host ran a Malware scan and found nothing too. I understand these hackers like to use base64 however wordpress, plugins and themes also use this so really its a needle in a haystack job to try and find anything left over.
Obviously I am going to dramatically increase the security on all our sites but from what I have seen there is nothing anyone can do to actually stop this Just postpone it which is why I am kinda looking for an official answer because if I am correct then Wordpress needs to be updated like yesterday to protect people from this