I recently had a security issue where a hacker had added an extra file to the following directory:
wp-includes/js/tinymce/utils/
The file was named “wp-tinymce.php” which is the name of a file from the parent directory, but doesn’t belong in this directory. Also, the file was about 10 times larger than normal. A Wordfence malware scan did not detect the file. My hosting company flagged it as malicious, and gave me the all-clear once I deleted it.
Is there a known reason why the Wordfence scan didn’t catch this file? (In fairness, Sucuri Sitecheck didn’t catch it either.)