I wondered why Sucuri always displays those same malware error messages even though I already cleaned everything. I thought Sucuri was nuts. So yes, their plugin actually bases the results on cached results.
If you want to have the updated results of Sucuri’s scan of your blog, make sure you click the RE-SCAN button in their site so the cached result will be the latest one that the plugin will use its report on.
While browsing through some of my folders, I noticed that wp-includes and all its subfolders exposed the file listing. This is a bad thing. Nobody should ever know what it inside your site’s folders. The plugin Silence is Golden Guard helped free my blog sites totally of those malware iframe error messages.
This plugin basically adds an index.php file in every folder of your blog site. There is nothing more this PHP file can do except just idle itself and show a blank screen in the browser whenever someone attempts to browse folders in your blog.
I believe the developer should at least put another option to have index.html instead of index.php. One may never know if the blog may get infected again. At least those PHP code will be useless inside an HTML file.