Malware in Wordfence?

Hi @brisch, thanks for reaching out.

Has the new hosting provider explicitly told you that the static datacenter IP has nothing to do with them? We have seen cases before of some hosts enforcing an allowlisted IP here that returns after a delete and save operation on this page, so it’s not totally out of the question to see.

Are you certain that the site wasn’t already compromized or installed with a vulnerable version of a plugin at the 5-month-old point you restored the backup from? There are naturally other attack vectors outside of WordPress that we don’t control like database passwords, cPanel access and FTP credentials so ensure none of these match the site that was already compromized too.

As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP,  WordPress admin users, and database. Make sure to do this.

I will provide our site cleaning instructions for you below even though you’ve already gone some way to dealing with this, just in case any steps you haven’t tried can help: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

XML-RPC requests are one of the most common brute force/credential stuffing attack methods so we always recommend using long unique passwords along with 2FA for your administrative accounts.

Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.  

Provided you installed the free version of Wordfence within WordPress’ “Plugins” page, there should be no issue with the validity of the plugin’s files.

Thanks,
Peter.