wordfence not spotting modified plug-in files

Do you, or did you, happen to have the MailPoet plugin installed on your site? This sounds exactly like what happens with the MailPoet exploit. Sucuri didn’t see the malware at all on our client’s site, and SiteLock and Wordfence caught some, but not all of it.

Even if you don’t currently or never had that plugin installed, if you’re on a shared server, your site could have been infected by another site on your server that has the plugin installed.

Hopefully you have backups of everything from before the date your site was hacked and you can do a complete restoration. The malware backdates files it modifies, so use a backup that is several weeks old if you can. Export your posts first, just in case. Even then you may have some cleanup work.

iThemes Security does a good job of showing the modified files. I’m not a malware expert by any means, but once it’s in, it modifies all of your php files, including Wordfence’s.

The only other option I know of is to edit every php file on your site to remove those top lines of code.

After you clean your site, I’d suggest using Wordfence (of course!) + iThemes (enable “Disable PHP in uploads”) + Bruteprotect + Cloudflare and check your folder and file permissions.

Adding to my previous comment: Make sure you check the Wordfence “Scan Detailed Activity” section of the scan page in the Wordfence dashboard for a list of potential malicious files. Wordfence will show you most of them. Don’t even bother with Sucuri on this.

CrunchyData, thanks for the info. Never had Mailpoet installed on any of my own sites, but I am on a shared server so who knows what else is on there.

I ended up doing a restore ~(twice)and manually editing the files. I’ll take a look at Bruteprotect and cloudfare. I added bulletproof security in the meantime, so far so good.