Hi @blferraz, thanks for getting in touch.
In immediate response to the .user.ini file without seeing the contents, I would suspect this kind of file should be in the root of your site rather than inside the WordPress core files – which is why Wordfence has picked it up. You could always take a site backup (or at least a backup of this file), delete it as advised and then ensure your site is still working correctly afterwards. It has been known for some hosts to create files such as php.ini, .htaccess and .user.ini inside multiple directories so if it persistently comes back it could be worth checking in with your host to see if it’s coming from them.
If you recently cleaned the site, you can take a look at our checklist to ensure all of the steps were followed if you haven’t already. I just provide it here for convenience:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
If your WordPress core files, plugins and themes are all up-to-date, also make sure your passwords for your hosting control panel, FTP, WordPress admin users, and database are different to when your site was compromized.
Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.
Wordfence offers a site cleaning service if this persists but there are others out there. Ensure you make regular site backups before changing anything major so that you can roll back to a working state should anything go wrong.
Thanks,
Peter.
