SiteFort documentation

Malware Scanner

Start a scan, work through what SiteFort found, and fix it. Covers scan controls, progress stages, finding remediation, scanner configuration, and troubleshooting when scans fail.

Documentation Home Recommended Settings

Malware Scanner

The SiteFort Scanner checks the site for malware indicators, unauthorized file changes, exposed sensitive data, account and permission issues, database concerns, reputation problems, and known vulnerabilities. It is cloud-connected, so license state and scan credits can affect availability.

Before You Run a Scan

For a clean first run, confirm these items before clicking Start New Scan:

License is active. Scanner banners such as License Required or License Validation Failed must be resolved before cloud scanning works.
Scan credits are available. Free or non-paid plan usage appears in the control bar as Cloud Credits.
Large generated folders are excluded. Exclude cache folders, backup archives, staging exports, or generated build directories only when you are sure they do not need security review.
You have a backup before remediation. Scanning is safe; repair and delete actions change files or data.

Start or Stop a Scan

Control	How to use it	Best practice
Start New Scan	Starts an on-demand scan when the site is connected and scanning is available.	Run this after installation, after a suspected compromise, after restoring from backup, or before handing a site back to a client.
Stop Scan	Stops the active scan.	Use only when the scan is affecting a busy production window or you intentionally need to change scan settings first.
Standard Scan	Uses signature and change intelligence for practical daily protection.	Use as the default scan mode for normal operations.
Deep Scan	Performs broader verification and content-level checks.	Use when malware is suspected, after a breach, or when Standard Scan findings suggest deeper inspection.
Daily at 3:00 AM	Displays the current schedule summary.	Schedule scans outside your site's busiest traffic window.
Scanner Configuration	Opens scan scope, quarantine retention, intensity, and schedule settings.	Review after installing SiteFort on large ecommerce, LMS, or membership sites.

Do not ignore disabled start messages. If the button says Connect SiteFort Console to start scans, Scanning is currently unavailable for this site, or On-demand scans are currently unavailable for this site, fix that condition first. Changing scan scope will not solve a license or availability issue.

Scan Progress

Scan progress appears as a staged stepper. Each stage can be pending, active, completed, stopped, or failed. The failed stage tells you where to start troubleshooting.

Stage	What SiteFort is checking	Common reason to review logs
Server State	Configuration and environment readiness.	Server limits, file access, or configuration conditions prevent the scan from starting cleanly.
Deep Threat Analysis	Cloud-powered malware detection.	License, credits, connectivity, or file upload/analysis problems.
Reputation	Blocklist and reputation context.	The site or IP may appear on a reputation source or the lookup failed.
User & Accounts	Account permissions and risky user state.	Unexpected administrators, weak account posture, or suspicious user data.
Database Security	Database structure and content checks.	Suspicious options, injected content, or database access limitations.
Sensitive Data	Exposure checks.	Files or public paths may expose secrets, backups, logs, or configuration data.
Vulnerabilities	CVE check for WordPress assets.	Known vulnerable plugins, themes, or core versions require patching.

Review Findings and Remediation Actions

Open the Findings panel after a scan. Start with Critical and High, then review Medium and Low findings. Do not bulk-delete files before you understand what they are.

1. Understand the finding

Check severity, file path, description, related setting, user or content context, and whether a diff is available. A file in uploads, a plugin directory, or the WordPress root means different things.

2. Choose the safest action

Use View file or View diff before remediation. Use Repair when SiteFort can restore a known-safe file. Use Delete only when the file is clearly malicious or backed up.

3. Keep exceptions intentional

Use Ignore only when the finding is verified and accepted. Ignored findings can be reviewed later with the Ignored filter and restored using Unignore.

4. Verify after cleanup

After repair, delete, update, password reset, or deactivation, run another scan and confirm the Dashboard no longer shows unresolved findings.

Available finding-level actions can include Refresh, View file, View diff, Open related settings, Edit content, Edit user, Update password, View users database, Ignore, Unignore, Mark fixed, Delete, Repair, Protect, Download, Delete user, Update, and Deactivate. Bulk actions include Repair Files, Delete Files, and View Quarantine Vault. Empty states include No Ignored Issues, No [Severity] Severity Findings, System Secure, and No Issues on This Page.

Scanner Configuration

Setting	What it controls	Practical guidance
Excluded Paths	Directories and files skipped during scans. One path per line; `*` works as a wildcard.	Use for cache and build folders that generate noise. Do not exclude uploads, plugins, themes, or root files just to make a scan look clean.
Quarantine Retention	Auto-purges quarantined files after 1 to 30 days.	Choose a retention period long enough for rollback and client review. Shorter retention reduces storage use.
Scan Intensity	Standard or Deep.	Standard is the daily baseline. Deep is for suspected compromise, pre-launch assurance, or post-cleanup validation.
Scan Frequency	Manual Only, Daily, Weekly, or Monthly.	Daily is useful for active production sites. Weekly may be enough for low-change brochure sites. Manual Only is not recommended for unattended sites.
Notifications	Alert recipients and delivery channels.	Send scan findings and scan failed alerts to the person who can actually take action.

Scanner Troubleshooting

Start New Scan is disabled

Read the disabled message under the button. It usually points to connection, availability, or on-demand scan access.
Open Settings > License & Plan and confirm the site is active.
If the page shows License Validation Failed, click Revalidate License and return to Scanner only after the banner clears.
If the message mentions scan credits, use the upgrade or reset path shown in the banner instead of changing scan scope.

A scan failed, but protection is still active

Open the failure panel. It can state that only this cloud scan run failed while protection remains active.
Click View Scan Log and note the failed stage, timestamp, and message.
Fix the stage-specific issue: license or credits for cloud stages, server configuration for Server State, connectivity for reputation or cloud analysis, or data access for database checks.
Click Retry Scan after the underlying issue is resolved. Do not dismiss the panel until you have captured the message if you need support.

Findings keep coming back after cleanup

Check whether the file is being regenerated by a compromised plugin, theme, scheduled task, or external deployment pipeline.
Review Audit Log and hosting file modification logs around the time the file returns.
Update or deactivate the component that owns the path. If the finding is in uploads, search for related PHP files or suspicious uploaded archives.
Run a Deep Scan after cleanup and rotate administrator passwords when account compromise is possible.