The malware scanner checks all folders and files on your website for malicious code. Even correct and non-malicious code can sometimes look malicious under different circumstances. This is called a false positive.
Sometimes it is quite obvious and even specific viruses or attacks can be identified by name. Other times it could be legit programming made with no malicious intent, or it is malicious code trying to hide.
This is where you should start looking if you are getting warnings or suspect your website is hacked.
Although we try to limit the number of files that are wrongly identified, we also want to be thorough and rather show you a couple of wrongly identified files than miss something malicious.
This means we can sometimes show a file as suspicious, but it does not mean it will do harm to your site. It just means you need to have a closer look at their content.
For example, here, where the malware scanner was looking for a very simple footprint, the word “ShellBOT” in a file.
The word was found in the file, but on closer inspection, we can see it is from a plugin, Theme Check, that has a feature that looks for common worms (viruses), one of which is the exact same phrase our plugin looks for. This way it was detected as a potentially infected file.
Please do not just delete a file because the scanner has marked it for your attention, this file could be legitimate and do no harm, but for some reason has indicators it is suspicious. Deleting the wrong file could also break a part or your whole website.
Take a look at our guide to cleaning up after a malware attack.