Providers are great for 'easy install' ... but many fail to provide customers with easy ways to upgrade. Some of that difficulty due to package (shared host or VPS) purchased. I use wp-cli which enables 'easy' updates to not only plugins of WordPress but core code of WP. Sorry ... no GUI to that. You might suggest that to your provider.
WordPress is a possible gateway/hole to the issue with Moodle.
https://codex.wordpress.org/WordPress_Versions
Highest, most secure version is now 4.5 (Apr. 2015)
Since the plugin you have interfaces with Moodle, then I'd say the "Edwiser Bridge plugin' also needs inspecting ... at least ask the providers of the plugin.
Since system is LInux, provider should be able to install clamav on that server - which installs a CLI app as part of that package called clamscan. Provider should make sure they have the most recent virus definitions before scanning your space.
Provider will have to do that for you unless you have a VPS and can install software yourself.
I hope that what you've found isn't true SQL injection code cause that would mean there are entries into the DB's for either WP or the Moodle now. More like a code injection ... insert of malicious code in a php file.
Inspect xmlrpc.php file as well. Make sure that one is only readable and not executable. Matter of fact, I'd make sure that ALL/ANY files in both the WP and the Moodle are NOT executable.
Also ask provider to archive your server logs for inspection. You've already found one culprit attempting access to xmlrpc too many times. Ask provider to block that IP address. Can do with Linux as it's capable of routing.
Get DB backups (sql dumps) now ... and a backup of your moodledata directory.
You might need to save your config.php file out into some other area. Make notes on what other plugins you have for Moodle AND then move the moodle code directory to some other location.
Re-acquire the latest 2.9.5+ code ... copy the config.php file and the other plugins you added into new code directory ... including the Edwiser Bridge (after checking with the provider AND scanning that directory). This is an upgrade. Next access to the Moodle would then do an in-series upgrade from your current 2.9.x to the highest currently available 2.9.x.
Make sure NONE of the files in the moodle code are executable. Ditto for WP files.
Why do that? Well, you've manged to find .php files but what of hidden files ... those begining with 'dots' AND because Moodle code has sooooo many php files that could be injected/affected/infected the only way to assure you get them all is fresh code directory.
This is NOT fun, I know ... at the beginning of this year helped an ISD clean up 40 Joomla's that had not been kept up to date. It took 2 weeks.
Get help from your provider.
Maybe this thread will attract the attention of some true Linux gurus who have had experience with 'cleaning up' a site and offer their advice as well.
'spirit of sharing', Ken