Hi @rolandoziel, thanks for getting in touch.
I can’t tell any specifics of the malware’s name or where it’s been placed here, but I can certainly try to assist. As Wordfence runs when PHP runs, an alternative attack vector such as a cPanel, database or FTP password becoming known could be involved – although further details of the files can be sent to samples @ wordfence . com if you believe they should’ve been picked up by our scanner. Just remember to first obscure any passwords and/or salts if any appear in the files.
I would also recommend updating the passwords for your hosting control panel, FTP, WordPress admin users, and database no matter where you think the threat may have come from.
Our site cleaning instructions may have some steps that could’ve been missed or help you reference things you’ve already tried: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
XML-RPC requests are one of the most common brute force/credential stuffing attack methods so we always recommend using long unique passwords along with 2FA for your administrative accounts.
Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.
Thanks,
Peter.
