Do you use a firewall plugin?
If not, you may want to look at one that blocks bad (or here malicious) queries.
You may also want to reinstall WordPress Core.
While that should take care of possible unauthorized changes or extra files, you still need to find the source of the problem.
If, just for example, a plugin installed a backdoor, it could be used to make the same changes again.
WordPress core only recently started automatically adding a noindex directive to search results pages (as of 5.7). Sites will need to update to take advantage of this (or you could run a popular SEO plugin), and, it may take time for URLs that have already been indexed to drop off.
Thanks both
@jonoaldersonwp – that’ll be the one for sure…
