Let’s accept it, malware cleanup is a pain. Our time at Malcure Web Security is best spent researching new infections and building better products to keep our customers happy than to cleanup the same malware again and again. When malware issues break, most of the malware removal tickets are about the same infection… because some popular plugin (or theme) got hacked. You cannot simply get away with scan and deletion of infection files. You have to repair WordPress installation to make sure the core is clean before cleaning the infected files.
So it’s time to automate what we can and focus our energy where it’s spent best. A typical manual WordPress install takes about 30 mins. If that sounds dumb then let me explain. WordPress’s famous 5 minute install doesn’t count the time it takes to upload WordPress files. If you count that in, you download, extract, upload, create a database… forgot the cPanel credentials? Look for them, you get the story.
For the sake of brevity, let’s define WordPress core as all the files that come in the default download of WordPress.
On hacked sites, just reinstalling WordPress doesn’t fix issues. Because when you reinstall the core files, the files are overwritten. But any non-core files injected into the core directories aren’t overwritten. The idea is to delete the core folders and then go ahead with the reinstall. It’s very important that to fix a hacked site you reinstall WordPress without losing data.
Before you delete, make sure you have WP CLI and the requisite permissions so that you can reinstall WordPress from command line.
Do you have a backup? Cool.
Steps for WordPress manual re-install
- Change into the root of your WordPress install.
- Delete wp-admin directory
rm -rf wp-admin
- Delete wp-includes directory
rm -rf wp-includes
- Install WP Core with ‘wp core download’
For this we are going to use the nifty wp cli command wp core download.
wp core download --forceand
wp core update --forcedon’t clean up (old) files — GitHub Issue #2183
wp core download --force --skip-content --locale=nl_NL --version=6.1.1
The locale and version parameters are optional. The force directive forces overwriting of existing files.
If you want to do this over FTP the old-school way, you can download the archive locally, extract and upload it to the server… The download is at:
Verify Checksums [optional]
wp core verify-checksums
Time to reinstall plugins: [optional]
First create a list of plugins. You are specifically looking for the plugin slugs which are the same as the plugin’s installation folder name.
Try the following command to get the output in an easy to copy and modify format:
wp plugin list --status=active
This will output all the files / directories allowing you to copy-paste and then to a regex search replace to issue commands.
Note down the active plugins; you’ll need this list to activate them later. Delete the existing plugins.
Then for each plugin run the following command to install the plugin:
wp plugin install plugin-folder --force
In case you want to activate the plugin while installing, use the following format:
wp plugin install plugin-folder --force --activate
Save this somewhere. If you are into bash scripting you can automate the entire thing. For example here is a bash script for reinstalling infected WordPress plugins using WP CLI. Hash-bang-it!