Wordfence and Sucuri don’t find the files unfortunately the only possible plugin that would help is Anti-Malware and Brute-Force Security by ELI. I’ve toughened my .htaccess files which is the real solution. Not sure what you know and don’t know, so just ask if you’re not sure.
I assume you have cPanel access to the server. WordPress installations are identical across every site, EXCEPT for: The wp-content folder (Stuff you have uploaded like pics and movies (NOT posts/pages)). The wp-config.php file in the home/top directory.
The MySQL database (Hidden from your view on the server) So……… Go into cPanel and do a search (From the highest level) for: swfobject.js template-loader.php Delete them (They should all be in the wp-includes folders of each site) Download a new copy of WordPress from wordpress Upload it to a new folder on your server Unzip it.
Choose a site (Do all sites to be sure) Delete wp-includes and wp-admin folders. Delete all files in the home/top directory (Except wp-config.php) Go into the ‘new’ folder Copy everything (except the folder wp-content and file wp-config.php) to the site folder (Replacing files and folders)
Now, check EVERY wp-content folder for ANYTHING that is not .jpg, .gif etc. (I.E. Anything you didn’t upload. ANYTHING with .js or .php is likely malware. Delete the .htaccess files (They will regenerate automatically) Personally, I deleted every caching plugin and used the WordFence Falcon engine (under Performance). This also clears the rubbish stored on the server as there are bad pages stored and they will ‘phone home’ when delivered to a browser, thus repeating the cycle.
Also, clear the cache on your browser before viewing the results – EVERY time you view a page (of any of your sites)!! keep it clean fanatically until you have finished. I was using InfiniteWP with great success and still think it’s great, but I ran across MainWP to manage all my sites. MainWP does everything InfiniteWP does and a whole lot more.
With MainWP you can bulk install and activate plugins, and globally control almost every aspect of your sites. I often use it to post articles and install new plugins across many sites. I update all plugins, themes and WordPress updates on a daily basis to ensure I avoid malware and hacking attacks caused by outdated software.