I had to clean up a hacked WordPress site recently and one of the steps I took was to scan the entire site with Automattic’s Exploit Scanner.
It needs a hash file for the version of WP you’re scanning and since it hasn’t been updated in 2 years or so, it doesn’t have them. WordPress has had several security updates since, so the plugin doesn’t even have the hash files for older versions of WP. This is easy enough to solve since the plugin itself comes with a hashes-generator.php.