Help/security
security

Understanding malware types found by PowerSEC

Updated May 11, 2026 2 views 0 found this helpful

When PowerSEC scans your site, suspicious files get one of these verdicts:

clean

The file matches a known-good signature (WordPress core, official plugin, or your committed code). No action needed.

likely_clean

Heuristics suggest the file is benign but it doesn't match a known signature. May be a legitimate custom theme/plugin file. Review if it's in an unexpected location.

suspicious

Contains patterns that could be malicious (eval, base64_decode, obfuscation) but might also be legitimate code. Recommended action: review the file in context. If it's part of a plugin you trust, you can mark it as a false positive.

likely_malicious

Strong indicators of malware: heavy obfuscation, known malicious function patterns, or file in an unusual location. Recommended action: quarantine the file immediately and investigate.

confirmed_malicious

File hash matches a known malware sample in PowerSEC's signature database OR multiple sites have flagged this hash. Recommended action: quarantine, restore from a clean backup, and investigate how the file got there.

Common malware families

  • WSO Web Shell — generic PHP backdoor giving attacker file/DB/exec access
  • FilesMan — file manager backdoor
  • Marijuana Shell — older PHP web shell
  • C99 — classic PHP shell, still appears occasionally
  • Anonymous Fox — recent SEO-spam injector targeting WP
  • Balada Injector — large-scale WP campaign that injects JS redirects

False positives

Some legitimate code triggers heuristics:

  • Plugin auto-update routines using eval() for hooks
  • Encoded fonts in theme files (base64 in CSS/JS)
  • Encrypted license-checking code in commercial plugins

If you're confident a flagged file is safe, click "Mark as false positive" in the alert. PowerSEC learns from your feedback to reduce future false positives.

What to do with a malicious file

  1. Quarantine it — moves the file to wp-content/powersec-quarantine/ (still recoverable but no longer executes)
  2. Investigate the entry point — how did the attacker upload this? Often a vulnerable plugin
  3. Restore from backup — if multiple files were modified, restore from before the infection
  4. Patch the entry point — update the vulnerable plugin or remove it
  5. Reset all admin passwords — assume any saved sessions are compromised
  6. Re-scan — confirm everything is clean

For step-by-step recovery, see Recovering from a malware infection.

Couldn't find what you're looking for?

Browse more articles or reach out to our support team.

Browse all articles Email support