A WordPress site can become compromised for various reasons, including but not limited to: outdated plugins, themes, or the core. Additionally, being on a shared hosting platform can increase the risk of infection from other websites.
WordPress CLI comes in handy while cleaning up a site. To begin, it is important to confirm that the core WordPress and plugins have valid checksums and that the theme files have been cleared.
⚠️ Make sure to take a backup before the cleanup.
We can break down the process like this:
- Replace WordPress core files if needed.
- Investigate
wp-configfile. - Verify plugin checksums.
- Check themes.
- Others
Replace WordPress core
The very first step would be to replace the WordPress core files. To do that run the command:
wp core download --force --skip-contentI’ve explained in depth about replacing core files here: Replace WordPress core with WP CLI
Investigate the wp-config file
Check if the wp-config[.]php file contains any suspicious code. Two common scenarios are either you’ll notice arbitrary code at the beginning or additional require statements at the bottom of the file. The file should end like this:
/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';Code language: PHP (php)If you notice any additional require/require_once/@require statement at the bottom, either it’s from the host if you are on a managed host, or it’s from the malware. Delete the additional require statement if it’s not from the host.
Verify plugin checksums
Like WP core, there is a way to verify plugin checksums if the plugin exists on wordpress.org. To verify checksums for all plugins, we can run the command.
wp plugin verify-checksums --allIf plugin checksums fail, we’ll see that in the output. We have to reinstall those mentioned plugins.
We need to use the string in the plugin_name column to reinstall the plugins.
// Re-install single plugin
wp plugin install contact-form-7 --force
// Re-install all the plugins
wp plugin list --field=name | xargs wp plugin install --force
// Re-install faster and avoid PHP errors
wp plugin list --field=name --skip-plugins --skip-themes | xargs wp plugin install --force --skip-plugins --skip-themesCode language: PHP (php)For plugins that are not available in wordpress.org – CLI will return a warning message like: Warning: [plugin-name]: Plugin not found
Re-install those plugins manually by uploading a zip or from the WordPress admin area. To install a zipped plugin from CLI wp plugin install --force path-to-the-file/premium-plugin.zip
Check themes
Like plugins and WordPress core, there is no way to verify the checksums for themes. Themes need to be reinstalled, and codes need to be re-checked for child themes. We can use wp theme list to check the installed themes. The reinstallation procedure is as same as the plugins.
// Re-install single theme
wp theme install theme-name --force
// Re-install all the plugins
wp theme list --field=name | xargs wp theme install --force
// Re-install faster and avoid PHP errors
wp theme list --field=name --skip-plugins --skip-themes | xargs wp thene install --force --skip-plugins --skip-themesCode language: PHP (php)Reinstall premium themes. And for child themes, check the header/footer/functions files manually to find and remove suspicious code.
Others
Use sharifff.tempurl.host//sitecheck.sucuri.net/ to scan the site. Also, Use a security plugin like Defender Security or Wordfence Security. They have scan features that can scan the installed plugins, themes, and report vulnerabilities or any suspicious code.