Overview
Rarely, you may receive an email from the WordPress Toolkit within your hosting plan (if your website is built with WordPress) advising that a suspicious WordPress installation was found and quarantined.
Such email notifications may contain the following message;
The following WordPress installations are quarantined:
Website "TITLE OF SITE" (https://WEBSITE-URL.EXAMPLE): WP Toolkit was not able to finish running an operation on this site in 60 seconds, so the operation was terminated. This could mean that your WordPress installation might be infected with malware. Check the wp-config.php file of the installation for potential malware code or run an anti-virus scan. If you cannot find any traces of malware, try running the operation again later.
This article describes how to determine whether you website was correctly quarantined, how to release it from quarantine, and what to do if the site is indeed infected and was quarantined for a legitimate reason.
Checking Whether Site is Infected
The first thing to do when you receive such an email is to confirm whether the site is actually infected, or whether this was just a case of the WordPress Toolkit taking too long to sync with the site and therefore quarantining the site unnecessarily.
You can do this by following the below steps;
- Run a Malware Scan within Plesk.
Log into Plesk, navigate to the WordPress tab in the left-hand menu, open the card for the infected site, then click “Run Malware Scan“.
Then, either click Scan next to the site that was quarantined, or click Scan All.
- Check WordPress Integrity, to confirm that WordPress’ core files have not been modified in any way.
Within the WordPress tab of Plesk, under the quarantined site, click the “Check WordPress Integrity” button, then click “Verify Checksums“.
If clean, it will report that the checksums of all core files were successfully verified.
- Scan your website using a security plugin, such as WordFence.
- Check for unknown or rogue Administrator users within WordPress.
This can be done by logging into WordPress, navigating to Users in the left-hand menu, then click the “Administrators” tab to view all Administrator accounts.
Releasing False-Positive From Quarantine
If no signs of malicious code or activity can be found within the site, you can release the site from the WordPress Toolkit quarantine status to ensure it continues to receive auto-updates (if enabled), and other notifications and functionality from the Toolkit.
This can be done from within Plesk by navigating to WordPress in the left-hand menu, opening the card for the infected site, then clicking the Refresh button to have the toolkit attempt to re-sync with the site’s WordPress installation.
If successful, the site will no longer show as being Quarantined.
It is however possible that the site may still remain in quarantine if the Toolkit is unable to refresh the installation within 60 seconds – in such a case, it either indicates a performance issue with the site that is preventing the Toolkit from completing its task within a reasonable timeframe, or it indicates that the site is indeed still infected in some way.
If the site remains Quarantined, please proceed to get in touch with the Conetix Support team for further assistance and diagnosis.
Dealing With An Infected Site
If your site is legitimately infected, we strongly recommend engaging with a developer or site cleaning professional for assistance in removing the infection.
We also have a separate article with more information on cleaning up an infected/compromised site below, which you may wish to pass along to your web developer;