Hi @athabussiness1
Wordfence protects against a vast variety of web attacks. Whether you were hacked because of an unknown attack method or because there is some other issue in your system is hard to say. Some plugins contain vulnerabilities that are new (commonly referred to as “zero days”) and no one has written a signature for it yet . The same goes for servers.?
Regarding how they gained entry, here are some possible scenarios:
- Are there other sites hosted on the same hosting account? If so, they could have been infected and spread the infection to this site
- You may be using a plugin or theme with a vulnerability that is so severe that we cannot protect against it
- Your wp-config.php file is readable to the hacker, either directly via your account, via a vulnerable plugin or via another hacked site on the same server
- The hosting accounts on the server are not properly isolated on the server so the hacker has access to your database via another user’s database
- The server software has vulnerabilities that allow the hacker to get root access
- You were actually hacked many months ago, but the backdoor was not activated until now
- You have a compromised hosting account (Change your password immediately)
- You have a compromised FTP/SSH account (Remove any accounts you don’t need and change the passwords on the ones you do)
As you can see, there are many ways that your site could be compromised. We can only protect you from attacks directly on your website, however once an attacker gains access, they usually leave behind evidence that we pick up with our scanner. ?I hope this helps to clarify.
If the files keep coming back, it means the infection is deeper than once expected, and may need a more thorough cleaning job that the scanner cannot fix.
thanks,
Joshua
