Malware Scanner Documentation

SSP — Malware Scanner (Docs)

SSP Documentation

SSP Malware Scanner

Overview

SSP Malware Scanner scans your WordPress site for security threats including malicious code, backdoors, suspicious database entries, and files in wrong locations. It can run on a schedule, quarantine dangerous files, and email you when issues are found.

Simple approach: Run a scan, review results, quarantine or ignore items, set up automatic scans, and get email alerts. That’s it.
Admin LocationDashboard sidebar → Malware Scanner
RequirementsWordPress 5.0+, PHP 7.4+
Quarantine Location/wp-content/uploads/ssp-quarantine/

Dashboard

The Dashboard tab gives you an at-a-glance view of your site’s security status.

Stats Cards

Site StatusClean, Unknown, or number of issues from last scan.
Last ScanWhen the most recent scan ran and how long it took.
Files ScannedNumber of files checked in last scan.
Total ScansAll-time count with clean vs. issue breakdown.
Issues FoundAll-time total issues detected.
Next ScanWhen the next scheduled scan will run.
QuarantinedFiles currently isolated.
IgnoredIssues you’ve marked to skip in future scans.

Recent Results

Shows issues from the last scan with options to Quarantine or Ignore each item. Use the Select All checkbox and “Ignore Selected” button to bulk-ignore multiple items.

Running Scans

Click Run Scan Now in the header to start a manual scan. A progress bar shows status as it checks your files.

What Gets Scanned

  • WordPress core – wp-includes and wp-admin folders.
  • Plugins – All installed plugins (except trusted ones).
  • Themes – All installed themes.
  • Uploads – Checks for PHP files where only media should be.
  • Database – Scans posts and options for injected scripts.
  • .htaccess – Checks for suspicious server rules.

What It Detects

  • Eval + base64/gzinflate code execution patterns.
  • Shell commands accepting user input.
  • Backdoor patterns.
  • PHP files in the uploads folder.
  • Disguised files with double extensions (e.g., file.php.jpg).
  • Injected scripts and iframes in database content.
  • Suspicious .htaccess directives.

Severity Levels

Each finding is classified by severity to help you prioritize.

🔴 Serious (High)Take action immediately. Patterns commonly used by hackers: code execution, backdoors, PHP in uploads. Quarantine these files.
🟡 Suspicious (Medium)Review recommended. Could be malicious or could be a legitimate plugin. Check the source before ignoring.
🔵 Notice (Low)Usually harmless. Long minified code lines, encoded content from legitimate plugins. Safe to bulk-ignore if you trust the source.
When in doubt: If a Serious threat is inside a plugin you installed from WordPress.org, it may be a false positive. Contact the plugin developer to confirm.

Scheduling

Configure automatic scans in the Schedule tab.

Schedule Settings

Enable automatic scansMaster toggle for scheduled scanning.
FrequencyHourly, Daily, or Weekly.
TimeWhat time to run (for daily/weekly).
TimezoneYour local timezone for accurate scheduling.

Performance Settings

Low resource modeSlower scan but uses less server power. Enable if scans affect site performance.
Max file sizeSkip files larger than this (MB). Default 5MB.
Memory limitPHP memory allocation for scans. Default 256MB.
Keep scan historyDays to retain scan records. Default 30.
Auto-quarantineAutomatically quarantine serious threats.
Tip: Schedule scans for low-traffic hours like 3 AM to minimize any performance impact.

Scan Options

Configure what gets scanned and how thoroughly in the Scan Options tab.

Sensitivity Levels

QuickBasic PHP file checks only. Fast but catches only obvious threats.
Standard (Recommended)Thorough scan of all code files. Best balance of speed and detection.
ThoroughDeep scan including more file types. May show more notices. Use if you suspect an infection.

Scan Targets

  • WordPress core files
  • Plugin files
  • Theme files
  • Uploads folder
  • Database content
  • .htaccess file

Email Alerts

Get notified when scans complete. Configure in the Email tab.

Recipients

Add multiple email addresses. Click “+ Add Email” to add more recipients.

Alert Settings

Email when issues foundGet alerted immediately when threats are detected.
Email when cleanOptional confirmation that scans completed with no issues.
From nameSender name shown in the email.

Email Templates

Customize subject lines and content for both threat and clean scan emails. Choose HTML or plain text format. Leave template blank to use the default.

Template Placeholders

{site_name}Your site name.
{site_url}Your site URL.
{scan_time}When the scan ran.
{duration}How long the scan took.
{threats}Number of issues found.
{files_scanned}Number of files checked.
{threat_list}HTML list of issues (threat emails only).
{dashboard_url}Link to your scanner dashboard.
Use the Send Test Email button to verify your email configuration is working.

Exclusions

Reduce noise by excluding trusted items in the Exclusions tab.

Skip These Paths

Directories to skip entirely. One path per line. Example: /wp-content/cache/

Trusted Plugins

Plugin folder names that won’t be scanned. One per line. Example: woocommerce

Safe Upload Paths

Subfolders in uploads that legitimately contain PHP files. One per line. Example: ssp-backups

Ignored Issues

Issues you’ve clicked “Ignore” on won’t appear in future scans. Click Clear All Ignored Issues to reset.

Quarantine

Quarantined files are moved to a secure folder where they cannot execute.

How It Works

  • File is moved to /wp-content/uploads/ssp-quarantine/
  • Folder is protected with .htaccess (deny from all).
  • Original location is recorded so you can restore if needed.
  • Files are renamed with timestamp to prevent conflicts.

Actions

RestorePut the file back in its original location. Use if it was a false positive.
DeletePermanently remove the file. Cannot be undone.
Best practice: Always quarantine before deleting. This gives you a safety net if something breaks.

History

The History tab shows all past scans with their results.

  • Click any scan to expand and see the issues found.
  • Green border = clean scan.
  • Red border = issues detected.
  • Shows duration and file count for each scan.

Click Clear History to remove all scan records.

FAQ & Troubleshooting

Site is slow during scans?

  • Enable “Low resource mode” in Schedule tab.
  • Schedule scans for low-traffic hours.
  • Reduce memory limit if server struggles.

Too many notices from plugins I trust?

  • Add the plugin folder to “Trusted Plugins” in Exclusions.
  • Or use Select All + Ignore Selected to bulk-dismiss.

Quarantined a file and something broke?

  • Go to Quarantine tab.
  • Click “Restore” on the file.
  • It will be put back in its original location.

Not receiving email alerts?

  • Check spam folder.
  • Use “Send Test Email” to verify.
  • Consider an SMTP plugin if emails aren’t sending.

Is a threat real or false positive?

Check the file location. If it’s inside a plugin from WordPress.org, likely a false positive. If it’s in a random location or has a strange name, be suspicious. When in doubt, contact the plugin developer or a security professional.

Recommended settings by site type

Personal blogWeekly scans, Standard sensitivity, email on threats only.
Business websiteDaily scans, Standard sensitivity, all email alerts.
eCommerce / WooCommerceDaily or hourly scans, add payment plugins to trusted list, all alerts enabled.
High-traffic siteEnable low resource mode, schedule during off-peak hours.