scan failed

What were the contents of the file?

Malware scans are typically signature based, if this was a new string of malicious code it might not have been picked up.

Well … I don’t know the content of the files as my PC even refused to edit them. I mean I’m not speaking about lines of code injected in already existing files. I’m speaking about completely new files and, apart from the content of these files, I expected from wordfence a comparative scan able to detect strange named php files on a core folder of the wordpress installation, in particular on a css folder where php files shouldn’t be at all.

Ok, in this case, if you are seeing files in wp-includes that shouldn’t be there then you should remove them.

To better determine what files should and should not be present you can use this trick in Filezilla:

https://blog.sucuri.net/2012/11/website-malware-removal-ftp-tips-tricks.html

Have a fresh copy of WordPress on the left and browse your site files on the right and then press Ctrl+O – the green/white files match and the yellow files will be out of place.

As for Wordfence finding .PHP files with strange names, I am not sure if this is something Wordfence does. Random/strange filenames is only a proxy indicator for malware, though, and does not always indicate an infection (take, for instance, cache files which tend to have very random and strange names)

The trick is awesome … you changed my life. Really ??

As for Wordfence, probably you are right. I gave it as granted that it performed a comparison scan on core folders that, unless you are a very reckless webmaster, shouldn’t change. But maybe not.

Anyway Wordfence is fantastic in the real time alerting system. Recently got 2 hackers while they were hacking thanks to this. Remarkable ??

Yeah, it’s a very handy tool ??

There’s really no reason to have any out-of-place files in wp-includes – In infected sites I find most often they are spam related files.

If you’re not sure about a certain file feel free to pastebin here and I can take a look.