Step-by-Step guide to efficiently reinstalling infected WordPress Core using WP CLI

'wp core download' is the way to reinstall infected WordPress Core using WP CLI

reinstall WordPress from command line

Let’s accept it, malware cleanup is a pain. Our time at Malcure Web Security is best spent researching new infections and building better products to keep our customers happy than to cleanup the same malware again and again. When malware issues break, most of the malware removal tickets are about the same infection… because some popular plugin (or theme) got hacked. You cannot simply get away with scan and deletion of infection files. You have to repair WordPress installation to make sure the core is clean before cleaning the infected files.

So it’s time to automate what we can and focus our energy where it’s spent best. A typical manual WordPress install takes about 30 mins. If that sounds dumb then let me explain. WordPress’s famous 5 minute install doesn’t count the time it takes to upload WordPress files. If you count that in, you download, extract, upload, create a database… forgot the cPanel credentials? Look for them, you get the story.

For the sake of brevity, let’s define WordPress core as all the files that come in the default download of WordPress.

On hacked sites, just reinstalling WordPress doesn’t fix issues. Because when you reinstall the core files, the files are overwritten. But any non-core files injected into the core directories aren’t overwritten. The idea is to delete the core folders and then go ahead with the reinstall. It’s very important that to fix a hacked site you reinstall WordPress without losing data.

Before you delete, make sure you have WP CLI and the requisite permissions so that you can reinstall WordPress from command line.

WP-CLI (WordPress Command Line Interface) is a command-line tool specifically designed for WordPress. It allows developers and system administrators to manage WordPress installations directly from the command line. With WP-CLI, you can perform many tasks that you’d typically do in the WordPress admin dashboard, but often more quickly and efficiently.

Do you have a backup? Cool.

Steps for WordPress manual re-install

  1. Change into the root of your WordPress install.
  2. Delete wp-admin directory
    rm -rf wp-admin
  3. Delete wp-includes directory
    rm -rf wp-includes
  4. Install WP Core with ‘wp core download’

    For this we are going to use the nifty wp cli command wp core download.

    Note: wp core download --force and wp core update --force don’t clean up (old) files — GitHub Issue #2183

    wp core download --force --skip-content --locale=nl_NL --version=6.1.1

    The locale and version parameters are optional. The force directive forces overwriting of existing files.
    If you want to do this over FTP the old-school way, you can download the archive locally, extract and upload it to the server… The download is at:<version>  eg.

Verify Checksums [optional]

wp core verify-checksums

Time to reinstall plugins: [optional]

Reinstalling WordPress plugins with WP CLI is a breeze too. First create a list of plugins. You are specifically looking for the plugin slugs which are the same as the plugin’s installation folder name.

Try the following command to get the output in an easy to copy and modify format:

wp plugin list --status=active

This will output all the files / directories allowing you to copy-paste and then to a regex search replace to issue commands.

Note down the active plugins; you’ll need this list to activate them later. Delete the existing plugins.

Then for each plugin run the following command to install the plugin:

wp plugin install plugin-folder --force

In case you want to activate the plugin while installing, use the following format:

wp plugin install plugin-folder --force --activate

Save this somewhere. If you are into bash scripting you can automate the entire thing. For example here is a bash script for reinstalling infected WordPress plugins using WP CLI. Hash-bang-it!

See Also:

This article is written by Evelyn Allison. Evelyn has over two decades of experience with the big-tech corporate giants. Starting in 2002 with consumer IT remote support, he transitioned into IT enterprise support and systems provisioning for Windows and Linux servers. Her prowess spans her expertise in network security, security audit and scripting-based-automation. Actively involved in web security since 2017, Evelyn has worked with various technologies to secure the web, leveraging tech like Nginx, modsecurity, reverse-proxies, developing web-application-firewalls, on-the-fly asset optimization using Google’s PageSpeed Module and more. Her expertise is reflected in the top-tier plugins and comprehensive consulting-services she offers in the domain of web-security.