I’ll outline the step-by-step approach to cleaning up malware from your WordPress website using the WP CLI.
To properly follow this guide, you need to have:
- the WordPress CLI installed on your web server.
- a basic knowledge of Linux commands.
Here is what happened.
I routinely ran “site:example.com” on Google and saw some pharma malware results. Digging dip, there were about 100 of them spread across the site.
I browsed my posts and page list from the WordPress dashboard. These pharma spam posts weren’t showing up.
What I did first.
I fired up the terminal and logged into the ssh server.
You’ll need the server name, user name, and password to do this.
|
1 |
ssh username@servername.com |
Install WP CLI on the WordPress host server. Here is a link to the official installation guide at wordpress.org
Once you’ve successfully installed WP CLI, run the code below to confirm.
|
1 2 |
$ wp cli version WP-CLI 2.8.1 |
My personal approach
step 1: Run wp core checksum
|
1 |
wp core verify-checksums |
This should verify the integrity of the files in your core WordPress.
It should also highlight any malicious files that are not part of WordPress.
As suspected, the WordPress installation doesn’t verify against checksums.
To fix this,
Confirm the core version with:
|
1 |
wp core version |
Rename your wp-admin and wp-include folders.
Then, reinstall the WordPress core using the confirmed core version:
|
1 |
wp core download --version=6.4.2 --skip-content --force |
You should get a success message at the end.
step 2: RunĀ wp plugin verify-checksums –all
|
1 |
wp plugin verify-checksums --all |
This will verify checksums of all plugins that are hosted in the official WordPress.org repository
The above shows that 2 out of 22 plugins couldn’t be verified.
Personally, I remove all non-essential plugins that are not from the official WordPress repo just to fulfil all righteousness.
So, I’ll go ahead and remove those two plugins for the moment.
My WordPress core and plugin list should be good now.
Run checksums again, just to be sure.
You should see a success message for both.
As expected, the WordPress installation should verify against checksums now.
You should also clear your cache and visit the spam pages to ensure they are truly gone.
step 3: Search database for scripts
|
1 |
wp-db search "<script" |
Browse through the results for anything malicious. In my case, it’s just a bunch of ad codes. So, I’m fine here.
Step 4: Reinstall all themes available on WordPress.org.
|
1 |
wp theme install $(wp theme list --field=name) --force --skip-plugins --skip-themes |
Step 5: Reinstall all plugins available on WordPress.org.
|
1 |
wp plugin install $(wp plugin list --field=name) --force --skip-plugins --skip-themes |
Delete all files that shoot up an error at the end of the installation.
In my case, I’ll go to the wp-content folder and delete db.php and advanced-cache.php
In most cases, the spam contents should be removed from your website now.
step 6: Reset the WordPress password for all users
|
1 |
wp user reset-password $(wp user list --format=ids) |
Audit the admin list using:
|
1 |
wp user list --role=administrator |
Delete any user you don’t recognize and reassign their posts to a different user.
|
1 |
wp user delete 2 --reassign=4 |
I hope you found this useful.
All the best!
Tags: wordpress