Imunify Malware Protection

Imunify is the malware scanner and web application firewall running on all Ultra Web Hosting servers. It scans your hosting account on a regular schedule, watches files as they are uploaded or changed, and blocks attacks at the web-server layer. This guide explains what to do when you get a notification about your site.

What Imunify Does

Imunify combines three layers of protection:

Malware scanner — Walks every file in your hosting account on a schedule, compares against a continuously updated signature database, and flags or quarantines anything that matches known web malware (backdoors, shell uploaders, SEO spam injections, phishing kits).
Real-time monitor — Watches the file system for changes and scans new or modified files immediately, so a fresh upload of a malicious file gets caught within seconds.
Web application firewall (WAF) — Inspects incoming HTTP requests and blocks ones that look like exploits (SQL injection probes, known-vulnerable plugin attacks, credential stuffing).

Most of this happens silently in the background. You only hear about it when something is found.

Reading an Imunify Notification

If Imunify finds something, you will receive an email titled something like Malware detected on your hosting account. The body lists:

The file path where the malware was found (e.g., /home/youracct/public_html/wp-content/uploads/2024/05/xyz.php).
The malware family or signature (e.g., SMW-INJ-WPLD-WPMU-php.suspicious or WP-PLUGIN-INJ.php).
The action taken — usually quarantined (moved to a safe holding area outside your web root) or flagged (left in place but logged).
A link or instructions for reviewing the finding in cPanel.

Quarantine vs. flag Quarantined files are moved out of your web root immediately, so the threat stops serving. Flagged files are reported but left in place because the scanner has lower confidence in the match. Both are visible inside cPanel's Imunify interface for review.

Reviewing Findings in cPanel

Log into cPanel.
Under Security, click Imunify (or ImunifyAV / Imunify360 depending on the version on your server).
The Files tab shows all detected malware on your account.
Each row shows the file path, threat name, status (Suspicious, Infected, Quarantined, Cleaned), and detection date.
Click a row to see more details: the matching signature, file size, ownership, and last-modified time.

What To Do When Files Are Flagged

Step 1: Don't Panic, Don't Ignore

Most malware findings are real, even when the affected site looks fine on the surface. Common patterns:

An out-of-date WordPress plugin had a vulnerability; an attacker uploaded a backdoor file disguised as something innocuous.
A weak FTP or admin password was guessed; an attacker dropped SEO spam scripts that quietly redirect search-engine traffic.
A reused password from another site was leaked, and an attacker used it to log into your hosting account.

The right action is to investigate, not to immediately delete or restore the file.

Step 2: Determine If It Is Yours

Before doing anything destructive, look at the file. In cPanel's Imunify, click the file to expand its details. Note:

Path — Is it in a place you would expect (your theme, a plugin you installed) or somewhere weird (uploads/, cache/, deeply nested random directories)?
Filename — Random strings like wp-x9k2.php, admin-ajax-old.php, or generic names in odd places are almost always malicious.
Modified date — Was it last modified at 3 AM on a day you were not working? That is a hint someone else touched it.
Content — The detail view shows the signature match. Long base64 strings, obfuscated eval() calls, or executable code inside an uploads/ directory are red flags.

Step 3: Quarantined Malware (Usual Case)

If Imunify already quarantined the file, the immediate threat is contained. Your next step is to find how it got there:

Update WordPress core, themes, and plugins to the latest versions. Pay special attention to the plugin or theme whose directory the malware was found in, if any.
Delete any plugins or themes you no longer use. Inactive plugins are still attackable.
Reset your cPanel password, all FTP account passwords, all WordPress admin passwords, and your database password.
Enable two-factor authentication in the Client Area and on WordPress admin.
Run a fresh scan: in Imunify, click Scan → Full Scan. Confirm no new findings appear.

Step 4: Flagged But Not Quarantined

For flagged files, you decide:

If the file is clearly malicious by the criteria above — click Cleanup in Imunify (which sanitizes known patterns) or Delete if cleanup is not offered.
If you are unsure — open a support ticket with the file path. Our team can verify and clean it for you.
If you are confident the file is legitimate — see False Positives below.

False Positives

Occasionally Imunify flags a file that is genuinely yours. Common false-positive triggers:

Custom PHP code that builds queries from user input (looks like SQL injection patterns).
Encryption or encoding libraries (heavy base64 or hex strings).
License-key validators that obfuscate themselves to prevent piracy.
Some commercial WordPress plugins shipped with intentionally compact, hard-to-read code.

Requesting a Re-Scan or Whitelist

In cPanel → Imunify, find the file.
If a Restore from quarantine button is available, you can restore the file yourself.
Open a support ticket with the file path and the reason you believe it is a false positive. Include the original source of the file (e.g., "this is shipped with WP Plugin X version Y, downloaded from yourpluginsite.com"). Our team will whitelist it on your account and submit the signature for correction upstream.

Do not restore without verifying Quarantined files are quarantined for a reason. If you restore one without understanding why it was flagged, you may put the malware back into your site and your site back into circulation. When in doubt, ask us first.

Running an On-Demand Scan

You can scan your account at any time without waiting for the scheduled run:

In cPanel → Imunify, click the Scan tab.
Choose Full Scan (everything) or specify a path under Custom Path Scan.
Click Start Scan.
The scan runs in the background. You can leave the page and come back; results appear under Files when complete.

Preventing Future Infections

Keep everything updated. The vast majority of compromises come through an out-of-date plugin or theme. Turn on WordPress automatic updates for plugins.
Use strong, unique passwords on cPanel, every FTP user, every WordPress admin, and every database. See Password Security.
Enable 2FA on the Client Area (how-to) and on WordPress admin (via a plugin like Wordfence, Two Factor, or your security plugin of choice).
Remove unused software. Delete plugins, themes, and Softaculous installs you no longer need. Old code rots into attack surface.
Limit FTP accounts. Each FTP account is a credential that can be guessed; do not leave temporary accounts active after a job ends.
Backups. Regular backups (see Backups & Restore) give you a quick recovery path if something does slip through.

Password Security — the most effective single defense.
Firewall Blocks & Connection Issues — the server firewall also blocks attacker IPs.
Backups & Restore — for recovery if you ever need to roll back.
Account Details & Login — turn on 2FA for the Client Area.
Support Tickets — for help reviewing a finding.