Blocked malicious file uploads: celebrate or worry?

My Bluehost WordPress sites were hacked a few weeks ago, probably almost surely due to a keylogger virus on my desktop computer. The hacker had created a new admin user named “header” on my sites (which I deleted literally minutes after creation thanks to WordPress’s e-mail notification). Everything is cleaned now (new O/S, new passwords, used GitHub to restore malicious files, installed Wordfence).

Now, I get WordPress update e-mails every so often, and the reports all usually have multiple instances of this:

Blocked for Malicious File Upload (PHP)

There are never any recently changed files detected by Wordfence other than normal file updates, such as updates to Wordfence itself.

My instinct is to high-five myself since, after all, these upload attempts are BLOCKED. I am certain that the continuing activity is all automated bots relying on various admins who don’t know what they’re doing – the bots don’t detect or care that my site is now clean, so they continue to treat my site as if it were still infected.

However, even after searching in forums, I can’t seem to find out if there is any chance an error like this could signal some lingering infection. That is, can these PHP upload attempts take place on a normal WordPress site, or can they only take place on an infected one? I wish the Wordfence e-mails made this more clear.

I feel it’s unlikely that my sites are still infected, but I just wanted to be 100% sure, and the Wordfence report e-mails are, in my opinion, a bit too vague when it comes to the error messages. I think it would be helpful if the errors at least had links to pages that went into more detail about all the things the error could mean and what core WP files the hackers were unsuccessfully using. I repaired every file that was reported to be infected by either Wordfence or Bluehost, and as I mentioned above, the only files that are ever recently changed are from normal plugin/Wordpress updates.