Hacked, but WordFence reports that everything is fine!

Sorry to hear about the hack. Often, if the username and password were changed, that may mean that they got your database password, or you could have a plugin or theme that is vulnerable.

We have a guide to cleaning hacked sites, using more strict options in Wordfence, which may find some other bad files, along with some other steps you can take:
How do I clean my hacked site using Wordfence?

Did you also change your MySQL password? If they got into the database directly or viewed your wp-config.php while on the site, they may have that.

I would also recommend checking .htaccess and wp-config.php for anything suspicious. It could be that the content is hidden when you have a certain cookie (like a WordPress login cookie) or other things like that, which could mean that other users may still see it.

-Matt R

Thanks for those tips Matt. I’ve viewed my site via private browsing, and via another IP, to make sure I’m seeing what the general public are seeing, and my site is definitely as it should be now. The trouble is though that I haven’t changed any files to make that happen – other than to get my admin access back – so whatever caused the issue is still in there, somewhere. I’d love that feature to check which files have been updated in the past few days, but I don’t have SSH. WordFence stubbornly insists I have no problems, so I’m beginning to wonder if WF itself has been modified by the hacker.

Yes, that is definitely a concern. If you have FTP access and can download the site’s files, or if you have a backup plugin, you may be able to see the file dates, or search through them by date locally. (SSH is definitely easier, unfortunately.) This might or might not help though — often attackers will reset the dates to help the modified files blend in.

You could check your Plugins page, and make sure there is no new plugin that doesn’t belong. Make sure to also click the “mu-plugins” link at the top of the page, since those aren’t shown in with the regular plugins.

Did you get a chance to check the wp-config.php and .htaccess files, to be sure those don’t have any unexpected code?

-Matt R

I have been slightly overtaken by events – in my earlier panic, I’d asked my host to restore a recent backup, and while working through the files looking for clues I’d forgotten that request. The site was restored before I’d had a chance to finish with what you’d suggested, and there’s no way now of going back to that. In the *hope* that the restore predates the hacker having access ability (it certainly predates when he logged in as an admin and changed it) I’ve changed all passwords and put it back in public view. I’m just worried still that there was definitely some hacked info that WordFence hadn’t picked up, so I’m not sure I can trust a scan result if I do one again today.

.htaccess was fine, but I hadn’t got to check wp-config

Ok. Sometimes restoring from backup is the safest option, so that is certainly understandable. It’s hard to tell if the backup was taken before the attacker had access, like you said, but changing passwords was a good step. We often add new scans to catch the latest types of attacks, so it’s possible if some new type of file was still left behind, that a future scan will catch it.

If you have any outdated plugins or themes, make sure they are all updated as well. If you have any old plugins and themes that aren’t active (especially any premium plugins/themes that don’t show you when updates are available), it is a good idea to remove them entirely, too. Some vulnerabilities don’t require the plugin/theme to be active.

-Matt R