Hi @djepayne,
If the code was picked up in both instances by a Wordfence scan, you may need to clean your site to ensure nobody has access through code or an admin account. If you find suspicious code whilst checking your site that was not picked up, by all means send it to samples @ wordfence . com so our Threat Intelligence team can take a look.
We have some helpful resources that may assist you at following checklist:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
Before attempting a site cleaning, we always recommend that you make a full backup of the site beforehand.
Make sure all of your plugins and themes are up-to-date and that WordPress core is on the latest suitable version. As a rule, any time someone thinks their site has been compromized, they should update their passwords for hosting control panel, FTP, WordPress admin users, and database in order to cover the key access points where somebody could change or upload things on the site. Make sure to do this as Wordfence is an endpoint firewall that runs after PHP runs, but (in “Extended Protection” mode) before site content is hosted to visitors. This means other access points for databases, control panels, FTP etc. may never load Wordfence.
Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.
Many thanks,
Peter.
