WordPress website keeps getting hacked

I have a major issue with my website and I can’t for the life of me work it out.
I have now been hacked about 4 times in the past two weeks. They keep uploading malicious .php files around my server. I can’t workout how they are doing it and where my vulnerability is. I need to work this out and if someone could help me find it I would be so happy.
I have update WordPress and all plugins

I just got an email from my host saying

This is an urgent message regarding the security of your website(s) hosted with 1&1 Internet. Our anti-virus scanner has reported that at least one malicious script or file has been uploaded to your web space.

Name and Path to the file: ~/cadagency/wp-content/plugins/wp-mobile-detector/locale/session.php

To protect you and your site visitors from hacker attacks, our anti-virus scanner checks every file that is uploaded or modified. Malicious files are then disabled automatically.

Now my website is just leading to

Warning: require(/homepages/46/d335400553/htdocs/cadagency/wp-includes/class-wp-metadata-lazyloader.php): failed to open stream: Permission denied in /homepages/46/d335400553/htdocs/cadagency/wp-settings.php on line 138

Fatal error: require(): Failed opening required ‘/homepages/46/d335400553/htdocs/cadagency/wp-includes/class-wp-metadata-lazyloader.php’ (include_path=’.:/usr/lib/php5.4′) in /homepages/46/d335400553/htdocs/cadagency/wp-settings.php on line 138