Hi @tgreeley, thanks for getting in touch.
Wordfence can certainly help with the process when your site has been compromized but the initial problem that allowed the malware to take hold might not be clean. In cases such as that it’s best to follow our site-cleaning instructions.
We always recommend that you make a full backup of the site before making any changes. After this, make sure to remove the suspicious users with administrative access as a priority.
We also advise you to update your passwords for your hosting control panel, FTP, WordPress admin users, and database. Make sure to do this.
Over half of all login attempts that are made on WordPress sites are made via xmlrpc.php. Wordfence offers the option to block XML-RPC or at least require 2FA with authentication requests using XML-RPC on the Login Security > Settings page. You can also block it entirely using .htaccess so long as you don’t use the WordPress app or the JetPack plugin, which require access to it.
Our checklist for you to follow is here:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful. If you are unable to clean this on your own there are paid services that will do it for you. Wordfence offers one and there are others. Regardless if you choose to clean it yourself or let someone else do so, again we remind you to make a full backup of the site beforehand.
Let us know how you get on,
Peter.
