Hi @louisapple,
When malicious code is picked up by a Wordfence scan, you will need to clean your site to ensure nobody has access through code, a vulnerable plugin, or a rogue admin account. Never post code that can be used to compromise a site on a publicly searchable forum such as here.
We have some helpful resources that may assist you at following checklist:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
Before attempting a site cleaning, we always recommend that you make a full backup of the site beforehand.
Make sure all of your plugins and themes are up-to-date and that WordPress core is on the latest suitable version. As a rule, any time someone thinks their site has been compromised, they should update their passwords for hosting control panel, FTP, WordPress admin users, and database in order to cover the key access points where somebody could change or upload things on the site. Make sure to do this as Wordfence is an endpoint firewall that runs after PHP runs, but (in “Extended Protection” mode) before site content is hosted to visitors. This means other access points for databases, control panels, FTP etc. may never load Wordfence.
Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.
If you find suspicious code whilst checking your site that was not already picked up by Wordfence, by all means send it to samples @ wordfence . com so our Threat Intelligence team can take a look.
Many thanks,
Peter.
