Every PMPro Hosting site runs a daily malware and compromise check automatically. It’s not an Add On or paid upgrade. If something looks wrong, our operations team is notified.

What We Scan For

Our scanner looks for the patterns actually seen in real WordPress compromises, not a generic virus signature list. That includes:

• Suspicious modifications to core files: Your WordPress install has two main files that are highly targeted by malicious code: index.php and wp-config.php. On PMPro Hosting, we check these files for known backdoor patterns (eval/base64 injection, goto-based obfuscation, memory-limit overrides).
• Known backdoor filenames: We raise a potential malware flag for a curated list of filenames attackers have used in the wild (e.g. wp-conffg.php, wper.php, lock.php, and variants).
• Obfuscated PHP: We detect any code that uses eval(base64_decode()), rotated-string payloads, and goto-mazed scripts. These are typical patterns used by automated injection campaigns.
• Unexpected PHP files at the web root or PHP in the uploads directory: There’s no legitimate reason for a .php file to exist in /wp-content/uploads/. If one appears, we flag it. We also detect other .php files loaded in the web root.
• Rogue .htaccess files: The filesystem should not have any additional .htaccess files present outside the main WordPress installation. Malicious code loading a file like this into the wp-admin/ or wp-includes/ folder is a common redirect-injection vector.
• Rogue wp/ subdirectories: Outside the legitimate core folders, there should not be additional subdirectories. These can be planted by malicious code to host secondary attacker infrastructure.
• WP-VCD infection markers: Occasionally, a theme may inject malicious code, that we can detect in our scans.

On demand, we can also run a deep scan that verifies every WordPress core file against the official WordPress.org checksums, flagging any byte-for-byte modification.

How Findings Are Handled

When the daily scan runs, we get one of two responses:

• Clean site: No action required. Status is logged and we move on.
• Findings detected: Our systems team is alerted. We review, confirm whether it’s a true positive, and reach out if a cleanup is needed.

Cleanup Is Included

Malware cleanup is included with PMPro Hosting. There is no separate “incident response” fee, no hourly billing for remediation on a routine infection, and no upsell to a paid recovery plan.

If a PMPro Hosting site is compromised, our typical process is:

1. Isolate. Quarantine the affected site (put it in maintenance mode if necessary) to stop the bleeding.
2. Snapshot. Preserve a forensic snapshot before any changes.
3. Identify. Determine the entry point (vulnerable plugin, weak password, outdated theme, etc.).
4. Clean. Remove malicious files, restore modified core files from known-good sources, rotate credentials, and invalidate all active sessions.
5. Verify. Re-run the scanner, run a deep core checksum verification, and confirm the site is clean before bringing it back online.
6. Harden. Apply any additional protections relevant to the entry point (updated plugin, stronger password policy, etc.).
7. Report. Share what happened, how we cleaned it, and what we recommend to prevent recurrence.

What We Ask From You

• Keep WordPress, plugins, and themes updated. We manage the server; you manage the site. Outdated plugin code remains the #1 infection vector.
• Use strong admin passwords and enable two-factor authentication where possible.
• Don’t share admin credentials. Use Magic Admin links, temporary accounts, or individual admin logins instead.
• Tell us fast if you suspect something’s wrong. The earlier we engage, the cleaner the fix.

Recovery from Backup

If a compromise is severe or widespread, we can restore from backup. Daily backups give us a 7-day window of known-clean snapshots to roll back to, and DigitalOcean’s Droplet-level snapshots provide a second recovery path. Contact support to initiate a restore.