A WordPress site can become compromised for various reasons, including but not limited to: outdated plugins, themes, or the core. Additionally, being on a shared hosting platform can increase the risk of infection from other websites.
WordPress CLI comes in handy while cleaning up a site. To begin, it is important to confirm that the core WordPress and plugins have valid checksums and that the theme files have been cleared.
We can break down the process like this:
- Replace WordPress core files if needed.
- Verify plugin checksums.
- Check themes.
Replace WordPress core
The very first step would be to replace the WordPress core files. To do that run the command:
wp core download --force --skip-content
I’ve explained in depth about replacing core files here: Replace WordPress core with WP CLI
Investigate the wp-config file
Check if the
wp-config[.]php file contains any suspicious code. Two common scenarios are either you’ll notice arbitrary code at the beginning or additional
require statements at the bottom of the file. The file should end like this:
/** Sets up WordPress vars and included files. */ require_once ABSPATH . 'wp-settings.php';
If you notice any additional
require/require_once/@require statement at the bottom, either it’s from the host if you are on a managed host, or it’s from the malware. Delete the additional
require statement if it’s not from the host.
Verify plugin checksums
Like WP core, there is a way to verify plugin checksums if the plugin exists on wordpress.org. To verify checksums for all plugins, we can run the command.
wp plugin verify-checksums --all
If plugin checksums fail, we’ll see that in the output. We have to reinstall those mentioned plugins.
We need to use the string in the plugin_name column to reinstall the plugins.
// Re-install single plugin wp plugin install contact-form-7 --force // Re-install all the plugins wp plugin list --field=name | xargs wp plugin install --force // Re-install faster and avoid PHP errors wp plugin list --field=name --skip-plugins --skip-themes | xargs wp plugin install --force --skip-plugins --skip-themes
For plugins that are not available in wordpress.org – CLI will return a warning message like: Warning: [plugin-name]: Plugin not found
Re-install those plugins manually by uploading a zip or from the WordPress admin area. To install a zipped plugin from CLI
wp plugin install --force path-to-the-file/premium-plugin.zip
Like plugins and WordPress core, there is no way to verify the checksums for themes. Themes need to be reinstalled, and codes need to be re-checked for child themes. We can use
wp theme list to check the installed themes. The reinstallation procedure is as same as the plugins.
// Re-install single theme wp theme install theme-name --force // Re-install all the plugins wp theme list --field=name | xargs wp theme install --force // Re-install faster and avoid PHP errors wp theme list --field=name --skip-plugins --skip-themes | xargs wp thene install --force --skip-plugins --skip-themes
Reinstall premium themes. And for child themes, check the header/footer/functions files manually to find and remove suspicious code.
Use https://sitecheck.sucuri.net/ to scan the site. Also, Use a security plugin like Defender Security or Wordfence Security. They have scan features that can scan the installed plugins, themes, and report vulnerabilities or any suspicious code.