Sometimes the scanner flags a legitimate file as suspicious or malicious. Here's how to handle it.
What "false positive" means
A false positive is a legitimate file that triggers heuristic detection because it has patterns commonly associated with malware:
- Heavy obfuscation (often used by commercial plugins to protect IP)
- Encoded data (base64 fonts in CSS, encoded asset bundles)
- Dynamic code execution (eval — rare in legit code but exists)
How to identify a false positive
Click the alert to see:
- File path — is this from a plugin/theme you trust?
- File age — installed recently? Or always been there?
- Surrounding files — other files in the same directory help context
If the file is part of a plugin/theme you installed from WP.org or a reputable seller, and it's been there since install, it's likely a false positive.
Marking a file as false positive
- Open the alert → click "This is a false positive"
- Choose: For this file only or For this file pattern
- Optionally: report to PowerSEC team to improve global detection
- Save — future scans won't flag it
Restoring a quarantined false positive
- Dashboard → Threats → Quarantine
- Find the file
- Click Restore + Mark as false positive
- File is moved back to original location
Tuning heuristics per site
WP admin → PowerSEC → Settings → Detection sensitivity:
- Strict — more catches, more false positives
- Balanced (default) — good for most sites
- Lenient — fewer false positives, may miss subtle threats
For development sites with lots of custom code, try Lenient.