PowerSEC's malware scanner reviews PHP-like executable files across your entire WordPress installation, including writable and non-standard directories — uploads, cache, backup folders, and security-plugin log folders — where attackers often hide malicious files.
Active webshell-family detection
Beyond known-malware signatures, PowerSEC actively detects several common webshell and backdoor techniques, such as:
- Dangerous function names assembled from fragments or encoded strings and then called indirectly
- Variable-function dispatch (calling a function whose name comes from a variable)
- Tainted callbacks driven by request data
- Eval/assert patterns fed from HTTP request headers
- Reverse-shell connection shapes
- Payloads that are decrypted or decompressed and then executed
- Superglobals constructed or extracted dynamically to smuggle in attacker input
These run as deterministic scanner checks and contribute to your malware and webshell results.
Findings are for review — not automatic deletion
When PowerSEC reports a webshell or malware finding, the file should be reviewed carefully. A finding is a security signal, not an automatic deletion request.
PowerSEC does not automatically delete, quarantine, or remediate files from these detections. Site owners or authorized administrators stay in control of remediation decisions. A single flagged line is not proof of compromise on its own — context matters, and legitimate code can occasionally resemble these patterns.
Works best together
Malware scanning is strongest alongside file integrity monitoring, verified backups, prompt plugin and theme updates, and careful review of unexpected changes. For how PowerSEC labels findings, see "Understanding malware types found by PowerSEC".