Hi @b2kaibecker,
Known issues can sometimes be packaged in a different way to cases seen before by our scans. It sounds like our scan is picking up the Backdoor:PHP/lfi.11719 issue, cleaning it on your instruction, but it returns again later? If that’s the case, there may be a file somewhere recreating the issue.
I would try following our checklist here:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
It sounds like your plugins and WordPress core are up-to-date already. As a rule, any time I think someone’s site has been compromized I also tell them to?update their passwords for their hosting control panel, FTP, WordPress admin users, and database?in order to cover the key access points where somebody could change things on your site. Make sure to do this.
Additionally you might find the WordPress Malware Removal section in our free?Learning Center?helpful.
After taking measures to try cleaning your site or identifying an issue, you can send suspicious code samples or files to?samples @ wordfence . com if you’re unsure what to do. Just make sure to?remove any database credentials or keys/salts?in any files you send over. Our team can help advise next steps from there.
If you are unable to clean this on your own there are paid services that will do it for you. Wordfence offers one and there are others. Regardless if you choose to clean it yourself or let someone else do so, we recommend that you make a?full backup of the site beforehand.
Many thanks,
Peter.
