Wordfence reporting malicious uploads, but not stopping them

Hello @ianro and thanks for reaching out to us!

Wordfence detects known malicious files and files that have suspicious code. In most cases, you will want to repair or remove the file, but you should investigate the contents first. Just in case these are known files that you use and might want to whitelist instead.

Do any of these file locations seem familiar? Are any of them used for your site? You can try to repair or delete these files directly from the Scan Results. I recommend backing your site up if you’re not sure what these files are.

If you do find these to be malicious, I would recommend having all of your admin accounts change their passwords and set up 2FA to add an extra layer of security.

Let me know what you find or if this helps!

Thanks!

Thanks for taking the time to reply

Fortunately my web hosting company cleared all the listed malicious files. I have taken some extra precautions cleaning up the site, so I will wait to see if it happens again.

I will mention a couple of things, in case they are of interest. After the site had been cleaned, the wordfence scan kept stopping. The hosting support had to up execution time for php limits several times to get it to run the full test. When I then tried it on Firefox, it stopped again. However, when I ran it on Chrome it worked fine.

The other thing, which I appreciate may not be relvant, is that there were several subdirectories not associated with WordPress. All the index files in these subdirectories (which did not show up on the wordfence scan) had been renamed by adding a .bak to the name (so index.html became index.html.bak) and a malicious file index.php added.

Finally (and again this may not be relevant to you) WordPress itself picked up a critical issue (not reported on Wordfence) as the following
Some files are not writable by WordPress:
index.php

Thanks again
Ian

Hello again @ianro

Thanks for letting us know this was been resolved!

I would definitely recommend changing your password and also any other admins to this site. I would also recommend setting up 2FA on all of your admin users.

You can also change the settings to have Wordfence scan subdirectories if you wanted.

This is a very powerful option that lets you broaden your Wordfence scan to also include files outside your WordPress installation.

A regular Wordfence scan looks at the following: wp-admin, wp-content, wp-includes, all subdirectories of those directories, common directories at some hosts like cgi-bin and .well-known, and all files in your base WordPress directory. But when you enable this option, we scan all subdirectories of your WordPress installation, even if they aren’t part of WordPress. So if you have a directory that is a phpmyadmin installation or a Drupal installation, we will dive down into those directories looking for malicious code and infections, too.

You should note two caveats: First, enabling this may cause scans to take significantly longer on some sites, and in some cases they may never finish, because they consume too many resources on the server and are killed by the hosting company. Secondly, in rare cases, we see circular symbolic links, device directories and other files or directories that are not designed to be read as normal files or can lead Wordfence on a circular path and cause it to scan indefinitely. If you are having trouble with your scans taking too long or not finishing, make sure you disable this option.

Thanks again for your support and information!

Thanks again for such a prompt reply

I will look into these and update

Thanks again

Ian