I just found 2 zip files that they uploaded to my new empty site. Wordfence found them for me, along with changes that had been made to a .php file that I think made it possible for them to do that upload. This means they're getting right into my CPanel doesn't it?
The password for this and all my sites are generated to about 10 characters/letters/numbers combos. My guess is that they aren't going through this access route. So does it have anything to do with my host not having a very secure service?