WordPress Vulnerability Getting Hacked

All my WordPress installation including some of my customers are getting hacked. I got hackers injecting html files in the root directory of my page. images, redirection pages, etc. I updated all the plugins on the different websites, one of my customers got hacked and she don’t even have a plugging. I installed BulletProof, change password, SQL password, cPanel password and they still hack trough WP. Why, because most of the files are injected on js/tinymce folder or wp-include folder.

Have anyone reported any of this? I need help, my hosting people are suspending my websites because of this vulnerability.