This article explains why you may have received a security notification from Servebolt, what Threat Shield detected on your site, and what actions, if any, you need to take.
Why did I receive an email about malware on my site?
You received this email because Threat Shield detected malicious or suspicious activity on your site. Threat Shield continuously monitors files written or modified on the server and uses behaviour-based, signature-less detection to identify potential malware.
If you have an active Threat Shield subscription, detected threats are handled automatically. If you do not have Threat Shield enabled, the activity is reported, so you are aware of the potential security issue and can decide how to proceed.
Detection alerts are sent regardless of subscription status to inform you about potential security issues. An active Threat Shield subscription is required for automatic remediation and access to detailed threat information.
What is Threat Shield?
Threat Shield is Servebolt’s server-level malware detection and protection system, powered by Monarx. It focuses on identifying malicious behaviour across your site, not just known malware signatures.
Instead of relying on application plugins or static pattern matching, Threat Shield analyses how files and code behave. This behaviour-based approach makes Threat Shield effective at detecting threats such as zero-day malware, backdoors, and hidden infections that traditional scanners may miss.
Threat Shield operates at the server level and does not rely on WordPress plugins or application-level scanning.
What is Active Protection?
Active Protection is built into Threat Shield and automatically remediates detected threats for all Threat Shield customers.
When Threat Shield is active on your site:
- Files written or modified on your site are scanned in real time
- Detected malicious files will be automatically removed
- After the cleanup, the site continues to be monitored
- You receive an email notification when an action is taken
If your email indicates that action was taken automatically, Threat Shield has handled the issue.
Do I need to take any action?
What you need to do depends on the message shown in the email you received.
If the email indicates that action was taken automatically
No immediate action is required. The detected issue has been automatically handled, and your site is currently being monitored. You will be notified if further related activity is detected.
If the email reports detection without automatic remediation
Threat Shield detected suspicious activity, but automatic remediation was not performed because Threat Shield is not enabled on your site. You should review your site and consider enabling Threat Shield to automatically handle future threats.
If you are unsure what was detected or how to proceed
Review the report linked in the email and/or check out the “I’ve been hacked” article for help assessing the impact and deciding on next steps.
What does “automatically handled” mean?
When your email states that a threat was handled automatically, it means Threat Shield detected and removed the malicious file without requiring any action from you. After the cleanup, the site continues to be monitored by Threat Shield to ensure no related activity appears.
Additional details are available in the report linked from the notification email.
Why can’t I see all the details about the detected threat?
Threat Shield notifications are designed to inform you that suspicious or malicious activity was detected on your site. For customers without an active Threat Shield subscription, detailed technical information about the detected threat may be limited.
We are not withholding information about your site. Threat Shield is powered by Monarx, and detailed threat data is only available when the service is actively enabled. Without an active Threat Shield subscription, we do not receive additional technical details that can be shared.
If you want full visibility into detected threats and automatic remediation, enabling Threat Shield is recommended.
Will I receive more emails?
Yes, but notifications are intentionally designed to provide transparency without unnecessary noise:
- Incident notifications are sent at most once per site per 24 hours
- Weekly security summaries provide an overview of detections and actions across your sites
Each email includes a link to a report with available details.
Does Threat Shield clean my entire site?
When Threat Shield is enabled, your entire site and all files are scanned. Any malicious files detected are automatically removed.
Threat Shield does not perform a full historical cleanup or guarantee that all previously compromised files outside its detection scope are identified.
In some cases, additional cleanup may still involve:
- Manual file review
- Restoring from clean backups
- Assistance from the Servebolt support team
How is Threat Shield installed?
- Threat Shield is installed per site
- It can be purchased from the Security page in the Admin Panel
- Protection applies at the server level across the entire site.
If you have questions about a specific detection or want help reviewing your site’s security status, feel free to reach out to our support team.
