Malware Cleanup with WP CLI

A WordPress site can become compromised for various reasons, including but not limited to: outdated plugins, themes, or the core. Additionally, being on a shared hosting platform can increase the risk of infection from other websites.

WordPress CLI comes in handy while cleaning up a site. To begin, it is important to confirm that the core WordPress and plugins have valid checksums and that the theme files have been cleared.

⚠️ Make sure to take a backup before the cleanup.

We can break down the process like this:

  • Replace WordPress core files if needed.
  • Investigate wp-config file.
  • Verify plugin checksums.
  • Check themes.
  • Others

Replace WordPress core

The very first step would be to replace the WordPress core files. To do that run the command:

wp core download --force --skip-content

I’ve explained in depth about replacing core files here: Replace WordPress core with WP CLI

Investigate the wp-config file

Check if the wp-config[.]php file contains any suspicious code. Two common scenarios are either you’ll notice arbitrary code at the beginning or additional require statements at the bottom of the file. The file should end like this:

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';Code language: PHP (php)

If you notice any additional require/require_once/@require statement at the bottom, either it’s from the host if you are on a managed host, or it’s from the malware. Delete the additional require statement if it’s not from the host.

Verify plugin checksums

Like WP core, there is a way to verify plugin checksums if the plugin exists on wordpress.org. To verify checksums for all plugins, we can run the command.

wp plugin verify-checksums --all

If plugin checksums fail, we’ll see that in the output. We have to reinstall those mentioned plugins.

We need to use the string in the plugin_name column to reinstall the plugins.

// Re-install single plugin
wp plugin install contact-form-7 --force

// Re-install all the plugins 
wp plugin list --field=name | xargs wp plugin install --force

// Re-install faster and avoid PHP errors 
wp plugin list --field=name --skip-plugins --skip-themes | xargs wp plugin install --force --skip-plugins --skip-themesCode language: PHP (php)

For plugins that are not available in wordpress.org – CLI will return a warning message like: Warning: [plugin-name]: Plugin not found

Re-install those plugins manually by uploading a zip or from the WordPress admin area. To install a zipped plugin from CLI wp plugin install --force path-to-the-file/premium-plugin.zip

Check themes

Like plugins and WordPress core, there is no way to verify the checksums for themes. Themes need to be reinstalled, and codes need to be re-checked for child themes. We can use wp theme list to check the installed themes. The reinstallation procedure is as same as the plugins.

// Re-install single theme
wp theme install theme-name --force

// Re-install all the plugins 
wp theme list --field=name | xargs wp theme install --force

// Re-install faster and avoid PHP errors 
wp theme list --field=name --skip-plugins --skip-themes | xargs wp thene install --force --skip-plugins --skip-themesCode language: PHP (php)

Reinstall premium themes. And for child themes, check the header/footer/functions files manually to find and remove suspicious code.

Others

Use https://sitecheck.sucuri.net/ to scan the site. Also, Use a security plugin like Defender Security or Wordfence Security. They have scan features that can scan the installed plugins, themes, and report vulnerabilities or any suspicious code.