Wordfence protects against a vast variety of web attacks. Whether you were hacked because of an unknown attack method or because there is some other issue in your system is hard to say. Some plugins contain vulnerabilities that are new (commonly referred to as “zero days”) and no one has written a signature for it yet . The same goes for servers.
Regarding how they gained entry, here are some possible scenarios:
- Are there other sites hosted on the same hosting account? If so, they could have been infected and spread the infection to this site
- You may be using a plugin or theme with a vulnerability that is so severe that we cannot protect against it
- Your wp-config.php file is readable to the hacker, either directly via your account, via a vulnerable plugin or via another hacked site on the same server
- The hosting accounts on the server are not properly isolated on the server so the hacker has access to your database via another user’s database
- The server software has vulnerabilities that allow the hacker to get root access
- You were actually hacked many months ago, but the backdoor was not activated until now
- You have a compromised hosting account (Change your password immediately)
- You have a compromised FTP/SSH account (Remove any accounts you don’t need and change the passwords on the ones you do)
As you can see, there are many ways that your site could be compromised. We can only protect you from attacks directly on your website. I hope this helps to clarify.
Like i said, I don’t have an issue with how they got in (although i can rule out some of the pointers you’ve mentioned), what is concerning is that the files didn’t rang any bells when (automatically or manually) scanned. I don’t expect a WP site to be fort knox but i do expect to find and notify about a JS that’s obfuscated and a code that hides a script from the admin users. That’s a rather basic thing from a malware scanner i’d say.
Thanks for the reply tho’.