Wordfence does not see infected files.

There may be new variations of malicious files that the scanner does not catch yet — attackers are always finding new ways to hide their code, unfortunately. If you know which core files are infected, you can send me a copy, and we’ll analyze them and add them to future scans. My email address is: mattr (at) wordfence.com

Wordfence has options to scan other folders that are not part of WordPress, but they are not on by default. If you turn on all of the options under “Scans to include” on the Wordfence options page, it will search for all files, and the “high sensitivity” option can help catch code that is likely to be malicious. (It may produce false positives, where valid files are shown — if you’re not sure about any of the files in the results, you can send me a copy.)

We also have a guide to cleaning hacked sites, which may help you find additional malicious files, and there are also recommendations to help prevent future hacks:
How to clean a hacked site using Wordfence

-Matt R

I Know where these file are and they do not belong to the core – and it is the problem. I am not sure you scan them.
/jhomes/wp-admin/maint/repair_backup.php
/jhomes/wp-admin/network/site-settings_noversion.php
/jhomes/wp-admin/includes/class-wp-filesystem-direct_backup.php
/jhomes/wp-admin/js/comment_prevv1.php
/jhomes/wp-admin/css/colors/midnight/colors_old.php
/jhomes/wp-admin/css/colors/blue/colors-rtl.min_prevv1.php
/jhomes/wp-admin/css/colors/ectoplasm/colors.min_backup.php
/jhomes/wp-admin/css/colors/light/colors_ver1.php

In my experience, non-WP core files that are in the folders are only reported as not part of the core or something to that end.

I had several hacked files in a site like this and didn’t realize it until I noticed WordFence’s scan report pointing them out.

@serg1140: Ok. Generally, these should be scanned, so it sounds like they contain malicious code that we have not seen yet. If you can send me a copy of these files, we can add them to future scans.

Normally, you can also remove them manually from the site. If the site won’t load after removing them (which is relatively rare), check wp-config.php to make sure it doesn’t have extra “include” or “require” lines that are trying to load any of these files. (wp-config.php is a common place to hide extra lines like this, but they could be loaded from other files as well.)

@johnniezombie: Thanks for the input also!

-Matt R

Could u tell me where to send the files to ?
I can also give you access to the website so you can see it.
How do i see see if there are files that do not belong to the core?
Thanks.

@serg1140: Sorry, I forgot to include my email address for sending the files. It is mattr (at) wordfence.com Thanks!

We don’t log into users sites, but thank you for offering. To find extra files that don’t belong to the core, you might need to compare a list of files to the original WordPress zip file, or you can replace the normal core folders with the originals (don’t replace wp-content of course, but wp-admin and wp-includes are usually safe to replace if your host doesn’t modify them).

We also have a guide for cleaning hacked sites here which may help, with more recommendations for finding new/unknown bad files and helping to secure the site:
How to clean a hacked site using Wordfence

-Matt R

I sent the files.
Could you tell me if you show anywhere that there are files that do not belong to WP ?
Thanks

Currently, extra files are not identified separately unless they appear to be malicious, but we do have a feature request open to possibly add that in a future version. Our reference number for this is FB602. Some plugins (unfortunately) put files in inappropriate places, including wp-admin, so there is a chance of false positives that may cause trouble with other plugins, but we’ll try to make that clear when these files are found.

-Matt R