I suspect Wordfence is not scanning malware in database content. I ran a Wordfence scan which says everything is ok. Then I ran a check from
https://sitecheck.sucuri.net/ - which then gave me a warning of malware.
Infected With SEO Spam
SEO Spam MW:SPAM:SEO?r https://barn1.no/handlekurv/ ( View Payload )
SEO Spam MW:SPAM:SEO?r https://barn1.no/produktinfo/ ( View Payload )
SEO Spam MW:SPAM:SEO?r https://barn1.no/salgsbetingelser/ ( View Payload )Known Spam detected. Details: http://sucuri.net/malware/entry/MW:SPAM:SEO?r
</div><a style="text-decoration:none" href="/online-xenical-reviews">.</a></p>So I looked at the pages and I saw this hidden code in the webpages and see the hidden code. It can see this code when I view the page in code view. E.g. this page "handlekurv" which shows this:
[woocommerce_cart]<a style="text-decoration:none" href="/online-xenical-reviews">.</a>
So this is malware inserted into the page. I can remove it then. But the question is why does Wordfence say my site is clean?