What is the Malware Scanner and how does it work?

The Malware Scanner is a part of the Automatic WordPress File Scanner

It will discover all sorts of malware patterns embedded in your PHP files, wherever they're hidden on your WordPress site (WP core, plugins, themes).

It focuses on the following:

  • scanning of all PHP and Javascript files and folders under your WordPress ‘ABSPATH ‘ – this is the directory that contains your wp-adminwp-content  and wp-includes  folders.
  • automatic repair of WordPress core files
  • automatic repair of WordPress.org plugins and themes

How the Malware Scanner works

This scanner will automatically detect files infected with malware signatures. It also uses MAL{ai} - Artificial Intelligence-based PHP Malware Scanning Engine for WordPress. You may read more about this here.

What is the False Positives Confidence?

A false positive is when the scanner incorrectly detects malware in a file (i.e. the file is clean)
‘False positive’ confidence is how sure the “network” is that the file is actually a false positive.
This confidence level comes from the  Shield Network Security Intelligence, with all the other sites reporting on whether a file is, or is not, malware.

So, Shield can ignore false positives in Scan Results automatically. 

You can choose to ignore files with potential malware manually in your scan results, depending on whether the confidence that it's a 'false positive' meets your minimum threshold.

A false positive happens when a file appears to contain malware and shows up in scan results, but it's actually clean. (A false positive is similar to when an anti-virus alerts to a file that doesnt have a virus.)

The higher the confidence level, the more likely a result is a false positive. A low level means it's less likely to be a false positive.

You can also set the Malware Scanner to

  • Auto-Repair WP Core - Automatically reinstall any core files found to have potential malware. 
  • Auto-Repair WP Plugins/Themes - Automatically repair any plugin/theme files found to have potential malware.

    Important: This option is only compatible with plugins/themes installed from WordPress.org..

Please also note that:

  • Auto-repair core files only repairs actual WP core files - it won't delete any. It can be deleted manually. 
  • The plugin and theme auto-repair will replace plugin/theme files, but won't delete files that don't belong. This can be done by the site admin manually. 

Once the scanner detects infected file(s), it'll either try to repair them automatically or you can do this manually. How it'll behave depends on your personal settings.                 

To run manual scan or to review infected files, you can use Scans section of the Shield Security main menu. 

For example, Malware Scanner detected potential malware in a WordPress core, plugin, theme files. You can go to the Scans section > run manual scan first if you need to > review scan results.

Then, you can choose an action you want. In this example, ignore or delete.

We highly recommend you to read A Complete Guide To The Shield Security Scans here.

Important: If you're unsure whether the file is malware or not, read this article here.

For more information about the Malware Scanner, please read the blog article here.

We also recommend you to read: