When PowerSEC scans your site, suspicious files get one of these verdicts:
clean
The file matches a known-good signature. No action needed.
likely_clean
Heuristics suggest the file is benign but it doesn't match a known signature. May be a legitimate custom theme/plugin file.
suspicious
Contains patterns that could be malicious (eval, base64_decode, obfuscation) but might also be legitimate code. Recommended action: review the file in context.
likely_malicious
Strong indicators of malware: heavy obfuscation, known malicious function patterns, or file in an unusual location. Recommended action: quarantine the file immediately and investigate.
confirmed_malicious
File hash matches a known malware sample in PowerSEC's signature database. Recommended action: quarantine, restore from a clean backup, and investigate how the file got there.
Common malware families
- WSO Web Shell — generic PHP backdoor giving attacker file/DB/exec access
- Balada Injector — large-scale WP campaign that injects JS redirects
- FilesMan — file manager backdoor
What to do with a malicious file
- Quarantine it — moves the file to
wp-content/powersec-quarantine/(still recoverable) - Investigate the entry point — how did the attacker upload this? Often a vulnerable plugin
- Restore from backup — if multiple files were modified, restore from before the infection
- Patch the entry point — update the vulnerable plugin or remove it
- Reset all admin passwords — assume any saved sessions are compromised
- Re-scan — confirm everything is clean