Help/troubleshooting
troubleshooting

False positives in malware scans

Updated May 11, 2026 6 views 0 found this helpful

Sometimes the scanner flags a legitimate file as suspicious or malicious. Here's how to handle it.

What "false positive" means

A false positive is a legitimate file that triggers heuristic detection because it has patterns commonly associated with malware:

  • Heavy obfuscation (often used by commercial plugins to protect IP)
  • Encoded data (base64 fonts in CSS, encoded asset bundles)
  • Dynamic code execution (eval, create_function — rare in legit code but exists)
  • File in unusual location (e.g., a plugin that stores cache in /uploads/)

How to identify a false positive

Click the alert to see:

  • File path — is this from a plugin/theme you trust?
  • File age — installed recently? Or always been there?
  • Hash — search the hash on Google; legitimate plugin files often appear in plugin repos
  • Surrounding files — other files in the same directory help context

If the file is part of a plugin/theme you installed from WP.org or a reputable seller, and it's been there since install, it's likely a false positive.

Marking a file as false positive

  1. Open the alert (click "View details")
  2. Click "This is a false positive"
  3. Choose:
    • For this file only — only this exact hash is whitelisted on this site
    • For this file pattern — file path pattern whitelisted (e.g., all files in this plugin directory)
  4. Optionally: report to PowerSEC team to improve global detection
  5. Save

The file is removed from threat list. Future scans won't flag it.

Reporting to PowerSEC

When you mark as false positive, check "Report to PowerSEC team":

  • Sends just the file hash + path pattern (no file content)
  • Our team reviews and adjusts global heuristics
  • Other PowerSEC users benefit too

Restoring a quarantined false positive

If auto-quarantine moved a legitimate file:

  1. Dashboard → Threats → Quarantine
  2. Find the file
  3. Click Restore + Mark as false positive
  4. File is moved back to original location

Tuning heuristics per site

WP admin → PowerSEC → Settings → Detection sensitivity:

  • Strict — more catches, more false positives (high-security sites)
  • Balanced (default) — good for most sites
  • Lenient — fewer false positives, may miss subtle threats

For development sites with lots of custom code, try Lenient.
For e-commerce sites with PII at stake, use Strict + manual review.

When you're not sure

If you can't tell whether a file is malicious or false positive:

  1. Don't restore yet — quarantine is safe
  2. Open a ticket with:
    • File path
    • Plugin/theme it appears to belong to
    • When you noticed it
    • Whether your site has been recently compromised
  3. Our team will review and advise

It's much safer to ask than to restore something malicious.

Why not just whitelist everything?

A "lenient" mode that whitelists everything would defeat the purpose. The balance is:

  • Catch real malware fast
  • Minimize false positives
  • Make false positive handling easy when they happen

If you're seeing too many false positives on a specific plugin, let us know. We can often adjust signatures globally.

Couldn't find what you're looking for?

Browse more articles or reach out to our support team.

Browse all articles Email support