@WFMattR - Our saga continues; however, I might have something for you to review. On another account on our server that showed signs of getting hit just tonight, I discovered a "www" folder that did not belong (the typical cPanel layout does not include a www folder within the "public_html" folder). The folder dates back to September according to the datestamp. Inside that folder lay a treasure trove of malware madness. To me, it looks like files used to setup false or appended WordPress files. The site in question is, for all intents and purposes, just a little-used companion site for one of our clients. So the additional folder would easily pass detection.
Wordfence, a free install on this particular site, did not detect this folder nor its files when set to scan beyond the WP directories. I created a zip of this entire folder before we removed it (I'm not sure I want to open it to double check the contents...in case it's bad for this Windows system I'm using at the moment). Do you want me to send this to you for investigation? I suspect that this folder may be the root of all our problems as it's something I've not seen before and some of the files lead me to believe it's designed to infect WordPress.