TLDR: Does Wordfence scan the WordPress database for malware?
I have a shared hosting and two sites have become badly infected. One had 150+ injected pages there were being used for backlinks (these files all had their own sitemaps, structures, etc all embedded in the site).
After using Wordfence both scans returned over 200+ infected files per site. I cleaned up all those files then followed some instructions online to check for database injections.
In both sites I think I found evidence of injected code in the wp_options table containing <scripts> that are thousands of lines long and seem to try to embed nonsense into the site like a bunch of twitter feeds and articles. I found this by exporting the entire database and pulling it up in a text editor and searching for common malware code based on the articles recommendations.
I should add that I am not an expert on this and maybe the code I have identified is not actually malware. However, I am still curious if Wordfence scans the database.
Thank you for your time.