Inherited a site from another designer that was built with a "free" theme that obviously built with malicious code. During the dev and over the course of a couple of years the pesky script that was running in the background couldn't be isolated and it kept reinventing the bogus links and pages even after "scrubbing" using both manual and scripted methods...
Finally, in a yet another effort to eradicate the problem, I tried Wordfence and voila! Problem resolved! And so were lots of other issues that were annoying such as the ability to block comment spammers.
Plus Wordfence they send out very helpful notices about site status and other industry updates regarding WordPress security.
I have since installed on additional sites with similar positive results.