One of are users reported a virus infecting the site.
I checked the wp-config.php and sure enough there was a suspicious php string at the top. I ran the Defender scan and the plugin couldn't see it. In the past the defender has removed php virus text in WordPress files without issue.
I need to know how to stop this happening. Does Defender not protect the config file?