WP Defender not detecting malicious code

This is a client's site that they had left out of date for some time, and I have tried to get the site back up and running. Defender didn't find the malcious software that was posting content that was hidden even from the admin.

Now it looks like the site is performing a mobile redirect. Does WP Defender find this? This is a nightmare site :slight_frown: if Defender isn't capable of finding the source of this problem (or even identifying it) is there something that will?