Sucuri failed to identify a added/modified file

Yes, there is a reason for that.

You are probably talking about the “Core Integrity Checks” which is the tool that scans the WordPress core directories searching for added, modified, and removed files. This tool is powered by a file system scanner that only reads the content of the files inside the wp-admin, wp-includes, and /root directories, the content directory is ignored because the only things that are in that location (in the official WordPress archives) are two basic plugins and less than three themes.

The files inside the content directory (as well as the rest of the project) are monitored by the “Main FS Scanner” which is a tool that runs with a WordPress scheduled task every six, twelve, or twenty-four hours depending on the configuration that you have chosen from the plugin’ settings page.

It is probably that the file(s) that you found infected with malicious code were flagged not by the “Core Integrity Checks” but by the “Audit Logs Monitor” only if the file(s) was/were added in the range of time when the scheduled task is executed.

It is worth to clarify (for people that may be new to our services) that this plugin is intended to be used as a complementary tool by our premium clients. They are protected by our Website Antivirus, our Web Application Firewall – CloudProxy, and our Security Analysts which work 24/7 to protect the business of several companies.

Note. I can provide more information about the functionality of the scanners implemented in the plugin if you require. I hope that your original question was answered with this comment.

Thanks for the prompt reply. It is nice to have a better understanding of how the plugin works. I f I had not used the plugin I would have removed the the functions.php file and then it would probably been hacked again because I wouldn’t have looked for the other files.