A few months ago we found Malware on our websites. We were able to track down it was being injected with powershell. We found the corrupt files and removed them. We also removed all admin users except for two people and make sure our plugins were updated.
We are now running into this issue again. Even if we delete the file, it reappears in another file.
From what we can gather, the malware does not appear for everyone. It is inconsistent. It may appear right when entering the site or after navigating a few pages.
Once it pops up, it provides a CAPTCHA and then asks users to take additional steps for “extra verification”.
The sites it is active on is:
Here is a screenshot of the Malware screen: https://prnt.sc/_LxsdIEFlk1f
Can we get help figuring out where this is coming from and what to do?
Actions we have taken so far:
– Removed all users from sites
– Removed FTP users
– Added 2FA
– Scanned with Wordfence (Nothing found)
– Reached out to WPEngine who reached out to Securri (Nothing found)