OK - looked a bit further and found that be deleting the .htaccess file here:
/wp-content/plugins/wordfence/.htaccess
resolved the problem!
But should there not be a .htaccess file here for... ahem security?
Getting fed up with Malware attacks at present... despite all plugins updates... WP up to date, high passwords etc, but the buggers still get in... sorry rant over!