WP 5.1.1
BPS 3.3
MScan results yielded these suspicious files:
/wp-includes/js/tinymce/wp-tinymce.js.gz
/wp-includes/js/codemirror/jshint.js
/wp-includes/random_compat/random_bytes_openssl.php
So, I downloaded the latest zip, removed the entire wp-includes folder and unzipped WordPress into web root thus from ssh:
/home/myname/mysite.com
$ cd ~/
$ mkdir helper
$ cd helper
$ wget http://wordpress.org/latest.zip
$ unzip latest.zip
$ mv wordpress mysite.com
$ zip -ry mysite.com.zip mysite.com
$ ls
latest.zip mysite.com mysite.com.zip
$ mv mysite.com.zip ~/
$ cd ~/mysite.com
$ rm -rf wp-includes
$ cd
$ pwd
/home/myname/
$ ls
helper mysite.com mysite.com.zip
$ unzip mysite.com.zip
Archive: mysite.com.zip
replace myszite.com/xmlrpc.php? [y]es, [n]o, [A]ll, [N]one, [r]ename: A
[ files unzip - too long to list ]
The files scanned are the latest files direct from WordPress in a freshly installed wp-includes folder.
Then I refreshed the browser and re-ran the MScan.
Same results.
What have I missed?