Website has vanished after cleaning file

Hi John,

Imunify360’s malware cleanup feature is designed to remove only the malicious part of a file, leaving legitimate code intact wherever possible. This means if a file was infected by injected malware, Imunify360 cleans out that injected code, and the rest of the file should remain usable.

If Imunify360 finds that the entire file appears malicious or it can’t reliably clean it, it may trim it, render it empty, or remove it completely. Depends on the settings: https://docs.imunify360.com/dashboard/#cleanup

What are the options to restore it?

1) Restore with the “Restore Original Files” feature (if available). In most control panels (e.g., cPanel), Imunify360 keeps a temporary backup of the file before cleanup. If the file was cleaned or trimmed, you can:

• Go to Imunify360 → Malware Scanner → Files list
• Find the affected file in the list
• Use the Restore Original action (clock icon) to put the file back as it was before cleanup

https://docs.imunify360.com/dashboar...o-restore-file


2) If you run server backups, use the hosting provider backup option to restore the file or entire site from a point before the cleanup occurred.

3) If the file that was cleaned was a core CMS file (like index.php, wp-config.php, etc.):

• Download a fresh copy from the official source (e.g., WordPress core files or framework distribution)
• Upload it back via FTP/SSH/cPanel

This helps when only core files were damaged, and you don’t want to restore an entire backup.
​​

Hi there,
First of all, apologies for posting in the wrong forum. I did not realise there was a dedicated Imunify area.

As far as I can see, it is the index.php file in the httpdocs folder that has been infected. it showas a file size of 0 bytes. When I try to to restore it with the origrinal text, after a few minutes, it just gets wiped again. Even when I have disabled Imunify360. So I suspect there is malware that is targetting the index.php file.

You think if I get a fresh copy of the core files and upload it, it should work ?

John

John, no worries about the forum post (: I've moved this thread to the Imunify section.

Sorry to know it has been wiped again. A couple of concerns here on the behaviour:

• How Imunify360 was disabled before this rescan? Mind that if you have a real-time scanner enabled, it may be triggered by the file restoration and clean it up again if it still includes malicious content. See:
  • https://docs.imunify360.com/dashboard/#malware-scanner
  • https://docs.imunify360.com/dashboard/#general-1
• Also, when you restored the file, what content did it have? Did you have the ability to validate the index.php content integrity?

If you are using WP and this index.php file is a core one, you can indeed try to upload/create it manually: https://github.com/wordpress/wordpre...ster/index.php

Hi,

Thanks for your help with this.

Before all this happenned, I was using the free version of Imunify. It said that there was a malicious file (index.php). At this point the site was stil working fine - the index page was loading without any issues. Concerned about the malicious file that the free version found, I tried to clean it. But the free version said it could not do it.

So I bought the paid version of Imunify360 and then did a scan. It said that it had found the same file so I tried to clean it. It then said that it had cleaned it. It was after that when the website stopped working. I then realised that the index.php page was empty. So I tried to upload an old copy of the index.php that I had. But the same thing happenned - after a minute, the file was stripped back to 0 bytes, I thought at first that the reason that the file was being stripped was because the scanner was finding the same file again and cleaning it. So I disabled the Imunify for a while. i did this by going into my Plesk Panel -> Extensions and disabling it there. But even when Imunfy has disabled the same keeps happening.

What is strange is that even after the file has been corrupted, when I do a full scan using the paid version, it shows everyhting to be OK and that the server is fully protected ??

I downloaded the core files for wordpress 6.9.1 and uploaded a fresh copy of index.php but the problem still persists.

Not sure what to do next. Can you advise further ?

Thanks,
John

Looking at the readon for the threat it says:
SMW-INJ-CLOUDAV-php.bkdr.wpcore.inj-WPCORE1-0

If that any help.

Hi John,
Thanks for the details. I can see you have already submitted a ticket to our Support Team, and it has been escalated to our malware analysts.

Let me follow up for visibility and future reference:

Our malware analysts have confirmed that this issue was not caused by Imunify360 cleaning or truncating index.php. The root cause was a nulled WordPress plugin (fancy-elementor-gallery-box) installed, which turned out to be a backdoor dropper disguised as a gallery plugin. What the malware did:

• Used obfuscated code (str_rot13) to contact external endpoints and download malicious payloads.
• Injected malicious code into core files, primarily:
  • index.php (main entry point)
  • the active theme’s functions.php
• Set up a scheduled task (cron job) that re-infected files hourly.
• Created a persistence loop:
  • Cleaning index.php alone → the plugin re-infects it.
  • Removing the plugin alone → infected index.php can re-download it.

This behaviour explains why the site appeared to “vanish” repeatedly, even after cleanup attempts.

For resolution, malware samples were collected, and signatures propagated. A full scan was performed, and all identified infections were cleaned.

Recommendations for affected users:

• Remove any nulled, pirated, or unknown plugins/themes.
• Update all plugins, themes, and WordPress core to the latest versions.
• Restore affected files from clean backups if available.
• Change WordPress admin credentials (and ideally FTP/SSH credentials as well).

Hopefully, this clarification helps others who encounter similar symptoms. If a site keeps getting reinfected after cleanup, it’s usually a sign of a persistent backdoor, not the cleanup tool itself.

Big thanks to John for reporting this!