In my view, the best way to ensure that your that is fix wordpress malware is via the use of a WordPress backup plugin. This is a relatively inexpensive, elegant and easy to use way to make sure your website is accessible to you.
Everything you have worked for will go with it should your website's server go down. You will make no sales, get no visitors or signups to your site, until you click here to find out more have the site back up again and in short, you're out of business.
This is very handy plugin, protecting you against brute-force password-crack attacks. It keeps track of the IP address of every login attempt. You can configure the plugin to disable login attempts when a certain number of failed attempts is reached.
Now we are getting into matters. You must rename it to config.php and alter the file config-sample.php, when you install WordPress. You need to deploy the database facts there.
Don't use wp_. Web hosting providers are eliminating that default but if yours does not, adjust wp_ to anything but that.