Wordfence not seeing javascript hack

Thank you for contacting us. You may have a compromised password, or there may be other files on your server that are responsible for placing the code in header.php. It is best to follow this guide on cleaning hacked sites — you may have a new infection that is different from all of the signatures included in scans:
How do I clean my hacked site using Wordfence?

If the high sensitivity scan finds additional files, you can send them to samples [at] wordfence.com, so they can be reviewed and included in future scans.

If removing a file breaks the site, check wp-config.php for an “include” or “require” statement with that file’s name.

I have this problem also..
Removed all the code in header.php 2 days go and changed all my passwords. Now it is back again..

What can I do?

The other thread about this closed so I’m here to say I’ve changed all passwords, am running the latest versions of everything and the problem is back after two days. What more can I do?

Sorry you all got hit with this redirect. Such a pain to get rid of it. I forgot to upgrade WordPress etc. on one site on my account and it ended up infecting all 6 sites. It’s been 2 weeks now and I may have solved the problem.

I did the following after deleting the obvious js code in the header.php file.

1. Updated everything wordpress/themes/plugins
2. Changed passwords and user names, ON EVERYTHING!!! I don’t use admin as a user name any longer.
3. Got rid of all plugins and themes I wasn’t using. Though I like to keep one default wordpress theme, but it needs to be updated also.
4. Installed Wordfence, it did discover some code with a “GLOBAL” line in it on other pages, not sure it was related but I deleted those files and any files Wordfence called out. That line was in a contact form plugin and older themes if I recall. Sorry didn’t keep that line of code.
5. I also started logging in from another browser thinking Safari may have been a problem.
6. I did sign up for Sitelock through my host and elected to go for the version that fixes problems. I set this up on one account.

I monitor my sites with wordfence now and have Sitelock on the main one.

Free from this hack now for a week, keeping my fingers crossed that it’s gone.

You may want to review this link I found helpful.

https://www.malwareremovalservice.com/wordpress-header-php-var-a1aqapkrv02vrg-injection/

VickeyWilliams: Thanks for the details on how you fixed your site! I’ve heard of a couple other people who had similar issues on their sites, where there were multiple sites on the same hosting account, and an outdated WordPress installation or outdated plugin on one of the other sites affected all of them.

DebraCuming & 007dutchy: Have you tried following the guide for cleaning hacked sites yet? It is a long process, but there are deeper Wordfence scans as part of the process that can clean up additional files not found in the regular scans:
How do I clean my hacked site using Wordfence?

I think the forum mods closed the other thread because there were too many people on it, and the forum rules ask to have each person’s issue as a separate topic. (Sorry, plugin authors aren’t able to re-open them or change the rules, even in cases like this.)

As Vickey mentioned, if you do have other sites on your hosting account, make sure those are all updated as well. Even if you have other non-WordPress sites, if they’re outdated, those could be a problem too. If Wordfence finds any new files in the deeper scans, they might not all be malicious — you can send them to us if you are unsure if a file is bad or not.