Skip to main content

Malware Cleanup

Malware is one of the most common issues with Wordpress Sites , this is mainly due to plugins which are not updates or simply bad user practices.Recommended approach to cleanup -

This guide assumes that wp cli is availbile -

Check maldet logs if detection were made

cat /usr/local/maldetect/logs/event_log | grep hits

grep search based on signatures found

grep -r -e 'exp' --include=*.php

Reset Wordpress

Change directory to the WordPress install directory , In most cases the best way to start is check core files are infected and replace them if required , First Check if checksums are ok -

wp core verify-checksums --allow-root

Before changing any files, please get the wordpress version to know which version needs to be downloaded.

cat wp-includes/version.php | grep wp_version

Then remove the core files and reinstall wordpress ( overwrite files only )

rm -rf wp-admin ; rm -rf wp-includes
rm -rf {SITEUID}   
wp core download --force --skip-content --version= --allow-root

Scan with Third party plugin

As a third step we will use Wordfence to do a final scan to find files which we might have missed .

Delete files

Delete files with confirmation

find . -type f -name "*.php" -exec rm -i {} \;

Find all PHP usuall in uploads and delte them

find . -name "*.php" -type f {-delete}

Quick edit files

:n for next files , :N for prev file , dd to delte line , :wn to write and move to next

grep -rl pattern | xargs -o vim
Back to top