A WordFence cronkey has redirected my site and several subdomains

I was in the process of updating my blocked list on WordFence in response to a Loginizer (not WordFence) warning of repeated brute force attempts (unsuccessful) by IP: 91.200.12.91. I was successful in adding that IP as well as a few others flagged in the past two days as one-time attempts.

Suddenly, I lost control of my WP dashboard and it redirected to a porno site. Now, the site and the subdomains (on separate WP builds) redirect there. I scrubbed with 7 updated antivirus and antirootkit packages (I know the drill), each reporting NO malware.

When I went onto the cPanel I discovered my domain build was no longer on the softaculous panel. The others are there, but that domain has vanished.

Also, just after losing dashboard access, a visitor to the site from IP: 208.79.238.6 applied the following link: domain/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=7438c0576df1326c6e6819b2

Soon after, the same IP used: /wp-cron.php?doing_wp_cron=1469305786.8442070484161376953125

Then, IP: 91.200.12.33 introduced /wp-content/themes/purevision/style.css and /wp-content/themes/u-design/style.css (Obviously, that is NOT me).

Then, IP: 208.79.238.6 came back to introduce /wp-admin/admin-ajax.php?action=wordfence_testAjax followed by /wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=7438c0576df1326c6e6819b2
followed by /wp-cron.php?doing_wp_cron=1469324915.2252190113067626953125

Now, I had a WP developer (another top rated plugin) two days ago check some of my OTHER sites and they noted “something is wrong with WordFence” but Wordfence and all the other plugins were current. Each was operating perfectly as well as the theme. So, seeing WordFence clearly in the above activity just after I lost access to the domain and four subdomains is highly suspect.

Oh, all the other sites are operating with WordFence okay… for now. And, yes, I have backups.

https://wordpress.org/plugins/wordfence/