I advise against this plugin who I can. Not only does it build the false impression that the site is secure, it also often creates additional security risks.
In practice, situations such as those described by the author of the topic may result from outdated or abandoned plugins or the entire Wordpress installation. Usually in this case you need to virus the whole installation and remove excess files, but in practice I recommend doing it this way:
1. Save the wp-config.php file and the wp-content folder, delete the rest
2. Review manually all folders and files that we saved in the first step, you can suggest dates of modification of files or unusual names
3. Download the latest wordpress and unpack in the pages folder, supplement with previously saved wp-config.php and wp-content