Awajiowa Ibotile

WP Malware Cleanup


I’ll outline the step-by-step approach to cleaning up malware from your WordPress website using the WP CLI.

To properly follow this guide, you need to have:

Here is what happened.

I routinely ran “” on Google and saw some pharma malware results. Digging dip, there were about 100 of them spread across the site.

A sample of pharma malware page from google search result

I browsed my posts and page list from the WordPress dashboard. These pharma spam posts weren’t showing up.

What I did first.

I fired up the terminal and logged into the ssh server.

You’ll need the server name, user name, and password to do this.

Install WP CLI on the WordPress host server. Here is a link to the official installation guide at

Once you’ve successfully installed WP CLI, run the code below to confirm.

check wp cli version

My personal approach

step 1: Run wp core checksum

This should verify the integrity of the files in your core WordPress.

It should also highlight any malicious files that are not part of WordPress.

As suspected, the WordPress installation doesn’t verify against checksums.

To fix this,

Confirm the core version with:

Rename your wp-admin and wp-include folders.

Then, reinstall the WordPress core using the confirmed core version:

You should get a success message at the end.

step 2: RunĀ  wp plugin verify-checksums –all

This will verify checksums of all plugins that are hosted in the official repository

The above shows that 2 out of 22 plugins couldn’t be verified.

Personally, I remove all non-essential plugins that are not from the official WordPress repo just to fulfil all righteousness.

So, I’ll go ahead and remove those two plugins for the moment.

My WordPress core and plugin list should be good now.

Run checksums again, just to be sure.

You should see a success message for both.

wp core verify checksums

As expected, the WordPress installation should verify against checksums now.

You should also clear your cache and visit the spam pages to ensure they are truly gone.

step 3: Search database for scripts

Browse through the results for anything malicious. In my case, it’s just a bunch of ad codes. So, I’m fine here.

Step 4: Reinstall all themes available on

Step 5: Reinstall all plugins available on

Delete all files that shoot up an error at the end of the installation.

In my case, I’ll go to the wp-content folder and delete db.php and advanced-cache.php

In most cases, the spam contents should be removed from your website now.

step 6: Reset the WordPress password for all users

Audit the admin list using:

Delete any user you don’t recognize and reassign their posts to a different user.

I hope you found this useful.

All the best!


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top