How I Determined This Was A False Positive
I actuallly have been having this issue ever since I wrote a blog, “Fix A Hacked WordPress Website”. In this post, I embedded an actual malicious code as an example.
When visitors view this post, a cache version of this post is automatically generated in the Content Cache Folder. This is exactly what you want, so the post can reload faster the next time it is viewed.
I am using the Wordfence plugin for my security requirements.
So whenever a fresh cached version of this blog is created, Wordfence always flags this file as a Suspicious Malicious File, because it flags the sample malicious file.
To prove this, I downloaded this suspected file and scrutinized it in my text editor.
This file compares to the actually blog post, down to the actual malicious file I posted in this blog.
I just delete this file from the cache folder.
Yes it can be a nuisance, but it is a simple matter of deleting the file within the Wordfence scanner dashboard.
I could just delete this sample malicious script from the blog post.
But I believe by displaying this obfuscated base 64 malicious file as an example,
others may be able to recognize similar code when troubleshooting their own website.
Wordfence is only doing it’s job.
I believe the reason the scan is not targeting the actually post, is because this sample
malicious script is in a web format (similiar to a word document).
While the cache version is broken down into a php script: