That wasn't my point. Certainly the plugin author's site is struggling with infection issues as Google's safe browser diagnostic shows (as well as Sucuri's scan):
My point though is that all tools except yours say that sites with a plugin from the Author are NOT infected.
The reason is context. The JQuery plugin in the theme is GPL/Open Source. The license requirements are that the author is given attribution hence his contact info in the comment block at the top.
A URL in a comment block does not make a site infected. There's no malware on my blog, the URL isn't in the executable code, nor is the URL presented in any form to a visitor such that they could use it to click through to the authors site.
There's no risk of Google blocking my site, as Google knows the difference between code and comment. As I said, I've run my site through Google's webmaster tools and safe browser diagnostic page. It sees the difference between the plugin authors site, and mine (with a plugin by the author in a theme).
The trust of Google or the plugin author isn't in question. I'm pointing out that it's the trust in WordFence that's in question. If WordFence cannot tell the difference between a URL in an HTML or executable code block, and one in comment block (shouldn't a positive hit at least check if the line begins with a comment character?), how can we have faith in it's ability to deal with the real stuff? Trivial false positives only hurt the brand. Either because trust is eroded, or it gets lumped in with the snakeoil like Registry booster/optimizers using false positives to inflate a sense of the product doing something worthwhile.
Such as with the weak password checking. After reading WordFence's reply to another post that someone made after WordFence not finding their planted weak password, I just went and follow-ed up with creating 11 accounts using a random pick from the 25 most used passwords of 2012 from the millions of hacked ones, plus the top 30 released in the Linkedin hack.
After a WordFence scan (and breaking the GPL by removing the plugin author's attribution link from the comment section) I get "Congratulations! you have no security issues on your site".
Really? I have users with a password of "password" or "12345" or "letmein" and I have no security issues because WordFence "Started password strength check" at 8:51 on my site?
I love the Alerts, Login Security, and Firewall rules. It's just that with issues like the above, I have to wonder if they're doing what they say they're doing too?
Please re-consider addressing the above and restoring faith.
(edit: I see of the 86 passwords in wfDict.php that 2 of them match ones from the set of 11 that I tried.
1. Perhaps there's a bug in the hash matching
2. Perhaps the list should at least contain the very public list of the 25 most commonly used passwords released every year by SplashData? http://www.splashdata.com/press/PR121023.htm