Hi @marameodesign, thanks for your message and it’s nice to hear Wordfence has been helping you out.
By the sounds of things, there was either a compromise on the server or a vulnerability found that allowed file uploads. You can limit the types of file uploaded and the maximum filesize through WordPress itself but there could have been an exploit in one of your plugins to bypass this checking. Do you have automatic updates set so that WordPress and all your plugin versions are kept up-to-date at all times? Are there any abandoned plugins reported in your scans that could’ve been left active?
We do have three of the alerts you mention. In Wordfence > All Options > Email Alert Preferences you can check the boxes for:
- Email me if Wordfence is deactivated
- Email me if the Wordfence Web Application Firewall is turned off
Then, in Wordfence > All Options > General Options we have the following to show in your site scans:
- Scan for suspicious admin users created outside of WordPress
Are you satisfied that your site has been fully cleaned? If not, we have a guide that may be useful here: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure to do this.
Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.
If you are unable to clean this on your own there are paid services that will do it for you. Wordfence offers one and there are others. Regardless if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.
Thanks,
Peter.
