BD Malware Cleaner

Scanning, Quarantine & Scheduling

Updated March 9, 2026 6 min read

Understanding Scan Results

After a scan completes, the results table displays all detected threats sorted by severity. Each finding includes five columns:

  • File — The relative path of the affected file (relative to your WordPress root directory).
  • Threat — The type of threat detected. Possible values include:
    • core_modified — A WordPress core file has been modified from its official checksum.
    • malware_pattern — The file matched a known malware signature.
    • php_in_uploads — A PHP file was found inside the uploads directory.
    • suspicious_file — A double-extension file was detected, or the file is world-writable.
  • Severity — One of four levels: critical, high, medium, or low. Results are sorted with critical threats first.
  • Signature — The name of the matched malware signature (e.g., base64_eval, c99_shell, php_in_uploads, world_writable, double_extension).
  • Actions — Buttons to quarantine or ignore the finding.

Severity Levels Explained

  • Critical — Immediate action required. These are confirmed malware patterns like backdoor shells, eval+base64 chains, cryptocurrency miners, data exfiltration, reverse shells, and SEO spam injections. Quarantine these files immediately.
  • High — Strong indicators of malicious activity. Includes obfuscated function creation, remote file inclusion via user input, hidden iframes, mailer abuse, and variable callback hooks. Investigate and quarantine if not part of a legitimate plugin.
  • Medium — Potentially suspicious but may have legitimate uses. Hex or chr() obfuscation chains, remote fopen operations, and variable function calls with superglobal input. Review the file content before taking action.
  • Low — Minor indicators that alone are not malicious but could be part of a larger attack. Error reporting suppression and display_errors disabling. Usually safe to ignore unless combined with other findings.

Taking Action on Findings

For each detected threat, you have two options:

Quarantine a File

Quarantining moves the suspicious file out of its original location into a secure quarantine directory at wp-content/uploads/bdmc-quarantine/. This effectively neutralizes the threat while preserving the file for later analysis or restoration.

  1. Click the Quarantine button next to the finding.
  2. The file is renamed to a hash-based filename (e.g., abc123_1709900000.quarantined) and moved into the quarantine directory.
  3. The finding status updates to “quarantined” in the scan results.
  4. Original file permissions are recorded so they can be restored if needed.

Note: The quarantine directory is protected with an .htaccess file that denies all direct web access, and an index.php file to prevent directory listing. Quarantined files cannot be executed or accessed from the web.

Ignore a Finding

If you have reviewed a finding and determined it is a false positive or an acceptable file, click the Ignore button. The finding will be hidden from the results table (its status changes to “ignored” in the database). Ignored findings are excluded from the results display but remain in the database for audit purposes.

You can also click Ignore All to mark all current findings as ignored at once. This button appears in the results table header when there are active findings.

Managing Quarantined Files

Navigate to the Quarantine tab to view all currently quarantined files. The table shows:

  • Original Path — Where the file was located before quarantine (displayed as a relative path).
  • Quarantined — The date and time the file was quarantined.
  • Size — The file size in a human-readable format.
  • Actions — Restore or permanently delete the file.

Restoring a Quarantined File

  1. On the Quarantine tab, find the file you want to restore.
  2. Click the Restore button.
  3. The file is moved back to its original location with its original file permissions restored.
  4. If the original directory no longer exists, it will be recreated automatically.
  5. The quarantine log entry status updates to “restored.”

Warning: Only restore a file if you are certain it is not malicious. Restoring a backdoor will re-expose your site to the threat.

Permanently Deleting a Quarantined File

  1. On the Quarantine tab, find the file you want to delete.
  2. Click the Delete button.
  3. The quarantined file is permanently removed from the server. This action cannot be undone.
  4. The quarantine log entry status updates to “deleted.”

Scheduling Automatic Scans

BD Malware Cleaner supports automated scheduled scans that run in the background via WordPress cron. Scheduled scans require an active license.

Configuring the Schedule

  1. On the Scanner tab, scroll down to the Scan Settings section.
  2. Find the Scheduled Scans dropdown and select your preferred frequency:
    • Disabled (default) — No automatic scans.
    • Daily — Runs a full scan once every 24 hours.
    • Weekly — Runs a full scan once every 7 days.
  3. Click Save Settings.

When you save settings, the plugin clears any existing scheduled scan event and registers a new one based on your selection. The first scheduled scan will run after the interval you selected (e.g., 24 hours for daily, 7 days for weekly).

How Scheduled Scans Work

Scheduled scans use a self-rescheduling chunked architecture designed for shared hosting:

  1. The bdmc_scheduled_scan cron hook fires and initiates a new scan with the same scan options you configured in settings (core integrity, malware patterns, uploads detection).
  2. The scan collects all files to be scanned, then processes them in chunks of 200 files per cron execution (compared to 50 files per AJAX chunk for manual scans).
  3. After each chunk, a new single event (bdmc_scheduled_scan_continue) is scheduled 5 seconds in the future to process the next chunk.
  4. This self-rescheduling pattern continues until all files are processed.
  5. When the scan finishes, the results are saved and an email alert is sent if threats were found.

Email Alerts

When enabled, BD Malware Cleaner sends an email to the site admin email address after each scheduled scan that finds one or more threats. The email includes:

  • The site URL where the scan was performed
  • The total number of files scanned
  • The number of threats found
  • A link to the BD Malware Cleaner dashboard to review the findings

To enable or disable email alerts:

  1. On the Scanner tab, scroll to Scan Settings.
  2. Toggle the Email Alerts switch on or off.
  3. Click Save Settings.

Tip: Email alerts are only sent for scheduled scans, not for manual scans initiated from the dashboard. For manual scans, check the results directly in the dashboard.

Scan Settings Reference

All settings are stored as a serialized array in the bdmc_settings WordPress option. Here is a complete reference:

SettingDefaultDescription
Core File IntegrityEnabledVerify WordPress core files against official checksums from wordpress.org.
Malware Pattern MatchingEnabledScan PHP files for known malware signatures, backdoors, and obfuscated code.
PHP in Uploads DetectionEnabledDetect PHP files hidden in the uploads directory and double-extension files.
Scheduled ScansDisabledAutomatic scan frequency: none, daily, or weekly.
Email AlertsEnabledSend email notifications when scheduled scans find threats.

Chunked Scanning Explained

BD Malware Cleaner uses a chunked scanning architecture to work reliably on shared hosting environments with limited PHP execution time and memory:

  • Manual scans (UI): Files are processed in chunks of 50 per AJAX request. After each chunk completes, the JavaScript frontend sends a new AJAX request for the next chunk, with a progress bar updating in real time.
  • Scheduled scans (cron): Files are processed in larger chunks of 200 per cron execution. Each chunk schedules the next one as a single event 5 seconds later.
  • Scan state: The current scan state (file list, progress, findings count) is stored in a WordPress transient (bdmc_scan_state) with a 1-hour expiration. If the transient expires before a scan completes (e.g., due to a server restart), the scan is considered abandoned.
  • Last scan summary: When a scan finishes, a summary (scan_id, total files, findings count, start and finish times) is saved to the bdmc_last_scan option for display on the dashboard.

License Requirements

BD Malware Cleaner requires a valid license for all scanning and quarantine features:

  • Starter — 1 site. Includes malware scanning, core integrity checks, quarantine and restore, scheduled scans.
  • Professional — 3 sites. All Starter features plus priority support.
  • Agency — 25 sites. All Professional features.

License validation is performed against the BDShield License Manager API at getbdshield.com. Results are cached in a transient for 24 hours to minimize API calls. If the license server is unreachable, a failed check is cached for 1 hour before retrying.

Deactivation Behavior

When the plugin is deactivated, all scheduled cron hooks (bdmc_scheduled_scan and bdmc_scheduled_scan_continue) are cleared. Your scan results, quarantine log, and settings are preserved in the database so they remain available if you reactivate the plugin.