Scans not detecting phishing files in wp core

We have heard of a number of users who had multiple sites on the same hosting account (or same VPS or dedicated server), which appear to have been infected through one of the other sites that had outdated WordPress installations or plugins, or even non-WordPress software.

Sometimes new malicious files are not caught by any of the patterns that we scan for. You can often find them if you enable the “high sensitivity” option in your Wordfence Options, and turn on “Scan files outside your WordPress installation”. These are not on by default because they can produce false positives. The scan of core files does compare the files to the originals as they would appear on a clean WordPress installation, but does not identify added files — this may change in the future.

If the files you’ve found aren’t caught in a regular scan, you can send them to us at samples [at] wordfence.com and we will review them and add them to be caught in future scans.

Thanks, we already wiped the file space clean and built a fresh copy. They had somehow added a folder inside /wp-includes/js/ folder and it was a gmail phishing login page. I’ll remember this in the future and submit examples when I can to help out.

However, this does clarify that wordfence doesn’t currently look for additional files/folders inside the core folders such as /wp-admin/.. and /wp-includes/.. but would definitely be a good idea in a future release to look for this since its not normal or even proper practice to add anything to these directories.

And always, thanks for such a quick response and a great plugin!

Thanks for the feedback. I’ve added it to our internal system’s feature requests, too.

-Matt R
FB765

My site has been hacked several time and I’m spending hours scanning and cleaning, changing passwords, keys, re-install wp etc.
Today i actually realized that on one of my sub domains it doesn’t matter what you put at the end, this form comes up and whoever can download up things to the root. <form method=”POST” action=”” enctype=”multipart/form-data”><input type=”file” n
I’m been trying to find where the code is but can’t find it, I have also been using backup copies but nothing seem to help.
I also put in a 2 step authentication but it stopped sending me the verification email so i had to cancel that.
Right now when scanning my entire site seems to be clean.
Site: fosforproduktion.se eith 5 sub domains.
Subdomain with code:
https://autonomous.fosforproduktion.se/be

annajutta: In your Wordfence Options, try turning on all of the options under “Scans to include.” (The first is only available on premium, so you can leave that off if needed.) If you have subdomains in the same directory as an individual site, do this from the main site that is not in a subdirectory — this will let the scans search through all folders, even the other domains. You might find some files that are really ok with the additional options, so you will need to review them carefully. This guide to cleaning a hacked site may help as well:
How do I clean my hacked site using Wordfence?

If you’re still having trouble, can you create a new post in the forum instead of replying here? The www.remarpro.com forum rules ask us to have only one person’s issue per post, and it also helps us keep track of open issues. Thanks!