I had a site hacked last summer (2012). In spite of clearing the hacked files that showed up for a phishing exploit, new ones kept popping up. I added a number of security plugins including Website Defender, Bulletproof Security, and Wordfence. Of these, Wordfence seemed to be the best at actually and quickly detecting the presence of attack shells; but the problem continued to occur. I could also see some of the IP addresses that were involved in sourcing the attack (Indonesia especially) and I could block specific IP addresses; but still, the attack continued. I inspected the MySQL DB to see if there had been any SQL injection at or near the first attack, but there was nothing there. I was about ready to take the entire site back to formula and do the whole thing over by hand when I came across this plugin.
Of course, it over-did the detection but it also pinpointed the upload vectors buried away in the site. This was much better than under-detection, since I could decide for myself if a file was clean or not by opening it and checking it out.
This plugin gets my five-star rating for saving my bacon.