How to find the URL injection on Wordpress Site?

They're probably hitting the MySQL database with a SQL injection.

Turn off all the plugins and update the WP install to the latest version. WP plugins or themes are usually the weak spot.

There's actually websites that list WP plugins with known vulnerabilities and unsuspecting webmasters still use those same plugins. This is why Wordpress.org removes plugins with outdated support.

Where are you hosted? I have switched several clients over to WP Engine.

They seem to have really good security. I also have seen a speed increase for every website I have moved there so far vs Godaddy or Bluehost.

The other advantage to them IMO is they only host Wordpress websites, so they are optimized for them.

The downside to WP Engine is they are more expensive, but because of the speed increase and security, I think they are worth it.

So far I am extremely happy with their service. Easy to get connect to support, websites are performing faster and interface IMO is cleaner and easier to navigate.

Since I didn't sign these clients up back then, I don't see WP Engine's hack as an issue. They obviously have fixed the vulnerability they had.

Hackers hack WordPress sites through URL injection very often. What they actually do is that they hack WordPress sites, and leave some sneaky backdoor scripts. If this is the case with your website, then while you dutifully updated and did all the right things, you may have missed the actual hacker files which are often disguised to look legitimate. You need to follow the below-mentioned risk-reduction approaches in order to make your website safe and secure:

i) Keep everything updated in your website
The WordPress developer team releases updates in WordPress core time-to-time. They are committed to the identification and patching of security vulnerabilities. Anytime you see a minor release (3.2.x), its for bug fixes and security patches.
So, you have to update your WordPress version every time you see a message about updating in your Wp version in your dashboard. One of the biggest contributors to malware attacks is running outdated software. You can also find the automatic update feature in WordPress. It works great, and is conveniently located within your WordPress admin panel.
ii) Delete disabled plugins and themes which are inactive in your dashboard
If you are not using any plugin or theme you used in past, disabling them is not enough. Delete all the inactive themes and plugins from the server is what I would suggest.
iii) Use an updated anti-virus and Software firewall and keep your computer up-to-date
Ensure youre patching or installing OS updates regularly. Automatic Updates are good. Most OS vendors are patching security issues often, its important to stay updated. Protect your system with an anti-virus. Use software firewalls.