Imunify360 Quarantined Your File? How to Restore It Safely
You open a support ticket or check your inbox and see it: "Imunify360 has quarantined a file on your account." Maybe your site broke right after, or a plugin suddenly stopped working. Before you panic and start restoring random backups, here's what's actually happening and how to get the file back safely - without turning your malware scanner back off.
What Imunify360 Actually Does
Imunify360 is a security suite that runs on most modern cPanel servers, including Getwebup's shared and reseller hosting. It scans every file uploaded or modified on your account, compares the code against known malware signatures and behavioral patterns, and moves anything suspicious into a quarantine folder before it can do damage. It's the same idea as antivirus quarantine on a desktop PC - the file isn't deleted, it's just isolated and renamed so it can't execute.
The scanner also watches outbound connections, brute-force login attempts, and cross-account infections on shared servers, but the quarantine feature is the one that generates the most support tickets, because it occasionally flags legitimate files.
Symptom: What You'll See
- An email from Imunify360 or cPanel titled something like "Malicious file detected and quarantined"
- A missing file error on your site - a broken image, a plugin that won't load, a theme function throwing a fatal error
- In cPanel, under Security, a new icon called Imunify360 or Malware Scanner showing a red badge
- The original file still physically present in its folder, but renamed with a
.imunify_quarantine_<random-string>extension
Cause: Why a Clean File Gets Flagged
Quarantine doesn't always mean you're hacked. Imunify360 uses a mix of signature matching and heuristics, and heuristics guess wrong sometimes. The usual triggers:
Common false-positive sources
- Nulled or pirated themes/plugins - license-check bypass code looks structurally identical to a backdoor, even when it isn't doing anything malicious
- Obfuscated or minified JS/PHP - some page builders and caching plugins ship minified code that trips eval()/base64 heuristics
- Custom scripts with base64_decode(), eval(), or exec() - legitimate uses (license validation, some caching, custom API integrations) look identical to malware droppers on a signature scan
- Freshly restored backups - if the backup itself was taken while the site was compromised, the scan is right and the file needs to stay quarantined
- Third-party plugin update packages that bundle unusual file operations (some SEO and staging plugins do this)
The real infections are usually easy to tell apart once you look at the report: they show up in unexpected locations like /wp-includes/, /wp-content/uploads/, or random top-level folders with filenames that don't match anything in your theme or plugin's original file list.
Fix: How to Restore a Quarantined File
Don't just rename the file back manually from File Manager - check what it actually contains first. Here's the safe order of operations.
1. Read the scan report before touching anything
In cPanel, go to Security > Imunify360 (or Malware Scanner on older versions), then open the Malware or History tab. Click the flagged file to see:
- The exact rule or signature that triggered
- A snippet of the flagged code
- The original file path
2. Inspect the code snippet
If it's a WordPress core file, plugin, or theme file, compare it against a fresh copy. For core files, run a checksum check via WP-CLI if you have SSH access:
wp core verify-checksums --path=/home/username/public_html
For plugins:
wp plugin verify-checksums --all --path=/home/username/public_html
If the flagged file matches the official plugin/theme source exactly, it's almost certainly a false positive. If it's been modified with extra code appended (commonly at the very top or bottom of the file), treat it as a real infection.
3. Restore from the cPanel interface
This is the safest method because Imunify360 logs the action and re-scans on restore:
- In cPanel, open Security > Imunify360
- Go to the Malware tab and find the file in the list
- Click Restore next to the entry
- Confirm - the file returns to its original name and location
If you don't see a Restore button (some cPanel themes hide it under a menu icon), use File Manager instead: navigate to the file's folder, find the .imunify_quarantine_* version, and rename it back to the original filename manually. Set permissions back to 644 for files or 755 for directories after restoring.
4. WHM/root-level restore (VPS and dedicated servers)
If you manage the server yourself, Imunify360 ships a CLI tool for this:
# List quarantined files
imunify360-agent malware unquarantine --list
# Restore a specific file by ID
imunify360-agent malware unquarantine --ids <quarantine-id>
# Whitelist the exact file path so it's never rescanned/flagged again
imunify360-agent malware ignore --add /home/username/public_html/wp-content/plugins/example/file.php
Whitelisting is worth doing for files you've confirmed are safe and reuse often (like a custom mu-plugin), so you're not fighting the same false positive after every scan cycle.
If the File Really Is Malware
If the code snippet contains things like eval(base64_decode(...)) wrapping unfamiliar payloads, unexpected outbound cURL calls to unknown domains, or a filename that doesn't belong to any plugin/theme you installed, leave it quarantined. Instead:
- Change your WordPress admin, cPanel, and FTP/SFTP passwords immediately
- Run a full scan from Security > Imunify360 > Scan to catch related infections
- Check wp_users for admin accounts you didn't create
- Restore the rest of the site from a backup taken before the infection date, not just the one flagged file
Deleting the malicious file without finding the entry point (an outdated plugin, a leaked password, a vulnerable theme) just means it comes back within days.
Prevention: Fewer False Positives, Fewer Real Infections
| Action | Why it helps |
|---|---|
| Only install plugins/themes from WordPress.org or licensed sources | Nulled software is the single biggest cause of both real infections and false-positive quarantines |
| Keep WordPress core, plugins, and themes updated | Most quarantine events trace back to a known, already-patched vulnerability |
| Whitelist confirmed-safe custom code paths | Stops the same legitimate file from being re-flagged every scan |
| Use unique, strong passwords per account and enable 2FA | Blocks the credential-stuffing route that leads to real backdoors |
| Review the Imunify360 History tab monthly | Catches infection patterns early, before they spread across the account |
If you're on Getwebup shared or VPS hosting and you're not sure whether a quarantined file is safe to restore, open a support ticket with the file path from the scan report - we can pull the exact signature match and tell you in minutes whether it's a false positive or something to actually worry about.
Frequently asked questions
Will restoring a quarantined file bring back the malware if it was real?
Yes, if the file was genuinely malicious, restoring it puts the malware back. Only restore after confirming via a checksum check or code review that the file is clean. When in doubt, keep it quarantined and investigate further.
Why does Imunify360 keep re-flagging the same legitimate file?
It's usually a heuristic match on patterns like base64_decode() or eval() that also appear in real malware. Whitelist the exact file path with imunify360-agent malware ignore --add (root/WHM access) or ask your host to add it to the ignore list.
Does Imunify360 delete files automatically?
No. Quarantine renames and isolates the file so it can't execute, but the original content is preserved. Nothing is permanently deleted unless you manually remove the quarantined copy.
I don't have SSH access - can I still check if the file is safe?
Yes. Use the cPanel Imunify360 interface to view the flagged code snippet and signature name, then compare it against a fresh download of the same plugin/theme version from the official source.
Can Imunify360 quarantine files outside my account on shared hosting?
No, its per-account scanning is isolated to your hosting account. It does run server-wide checks for cross-account infection patterns, but any quarantine action only touches files inside your own account.