How to reinstall infected WordPress Core using WP CLI

Let’s accept it, malware cleanup is a pain. Our time is best spent researching new infections and building better products to keep our customers happy than to cleanup the same malware again and again. When malware issues break, most of the tickets are about the same infection… because some popular plugin got hacked. You cannot simply get away with scan and deletion of infection files. You have to repair WordPress installation to make sure the core is clean before cleaning the infected files.

So it’s time to automate what we can and focus our energy where it’s spent best. A typical manual WordPress install takes about 30 mins. If that sounds dumb then let me explain. WordPress’s famous 5 minute install doesn’t count the time it takes to upload WordPress files. If you count that in, you download, extract, upload, create a database… forgot the cPanel credentials? Look for them, you get the story.

For the sake of brevity, let’s define WordPress core as all the files that come in the default download of WordPress.

On hacked sites, just reinstalling WordPress doesn’t fix issues. Because when you reinstall the core files, the files are overwritten. But any non-core files injected into the core directories aren’t overwritten. The idea is to delete the core folders and then go ahead with the reinstall. It’s very important that you reinstall WordPress without losing data.

Before you delete, make sure you have WP CLI and the requisite permissions so that you can reinstall wordpress from command line.

Do you have a backup? Cool.

Steps for WordPress manual re-install

Change into the root of your WordPress install.

rm -rf wp-admin
rm -rf wp-includes

Install WP Core

wp core download --force --skip-content --locale=nl_NL --version=5.3.2

The locale and version parameters are optional. The force directive forces overwriting of existing files.

Verify Checksums

wp core verify-checksums

Time to reinstall plugins: First create a list of plugins. You are specifically looking for the plugin slugs which are the same as the plugin’s installation folder name.

Try the following command to get the output in an easy to copy and modify format:

wp plugin list --status=active

This will output all the files / directories allowing you to copy-paste and then to a regex search replace to issue commands.

Note down the active plugins; you’ll need this list to activate them later. Delete the existing plugins.

Then for each plugin run the following command to install the plugin:

wp plugin install plugin-folder --force

In case you want to activate the plugin while installing, use the following format:

wp plugin install plugin-folder --force --activate

Save this somewhere. If you are into bash scripting you can automate the entire thing. Hash-bang-it!