Unlocking Your WordPress Site: Leveraging wp-cli for Swift Recovery After a Hack
- The Importance of WordPress
- Introduction to
- Search and Detect Modified WordPress Files
- Cleaning of Compromised and Altered WordPress Files.
- User check
This article covers what to do when your WordPress installation gets hacked or infected with malware. The attacker might have disabled your login so it is important not only to clean your WordPress but to check if new users have been added and change your passwords. I will show you how to do all that without signing in to your WordPress. All that you need is to
SSH to your server and install
wp-cli. Please note that this tutorial gives you advice on how to proactively do maintenance before a disaster happens. Examples like WordPress core, plugins and themes checksum verification, WordPress core plugins and themes updates can be performed daily.
Tip: Do not forget that having backups can save you a lot of time spent on data recovery.
The Importance of WordPress
Looking at the stats you can see that almost 50% of all websites on the net are powered by WordPress. The popularity of WordPress continues to grow, and it remains one of the most widely used content management systems globally. Therefore it is no surprise that it gets hacked so much.
From the website: “WP-CLI is the command-line interface for WordPress. You can update plugins, configure multi-site installations, and much more, without using a web browser.”.
My experience is that you need a way to fix the site without logging in to the WordPress back-end and doing it programmatic. This is where
wp-cli comes in.
It is simple:
Search and Detect Modified WordPress Files
Follow the next steps to detect modified and infected files of WordPress installation.
File Integrity Checks
WordPress Core checksum
Tip: Do not forget to check files in the web root directory that are not part of WordPress.
Verify all files in the web root
Verify all files and folders in the root directory, and warn if any non-WordPress items are found.
Tip: Do not forget to delete old WordPress or installations from the Webroot as attackers can use them as a backdoor.
WordPress Plugin Checksum
Do a Plugin checksum.
Hidden Files Search
Find files that should not be there.
Database Script Search
Search for scripts hidden in the database.
wp db search '(<script|eval\(|atob|fromCharCode)' --regex
Find images with backdoor functions
find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php
Find files with
find . -type f -name '*.php'| grep -i '<iframe'
Cleaning of Compromised and Altered WordPress Files.
This command will not cause any data loss as it only re-installs the core files and leaves any user content intact.
Plugin and Theme update process
This is how to update all plugins.
This is how to update all themes.
Force reinstall of all plugins and themes
List all users and check if there are any suspicious newly added users.
Delete any users that you find suspicious.
Change the password for all users
Tip: Good practice is to change passwords for all WordPress users after a hack.
Deactivate all plugins
The site might be broken because of a bad plugin. The first step is to deactivate all plugins and then activate them one by one until you find the problematic plugin.
wp plugin deactivate --all
SQL query, in case
wp db query "UPDATE wp_options SET option_value = '' WHERE option_name = 'active_plugins';"
In conclusion, using
wp-cli for the security maintenance of WordPress is a proactive and efficient approach to safeguarding your website. By utilizing this powerful command-line interface, users can optimize security tasks, implement proactive measures, and respond quickly to potential threats. The ability to automate security checks, updates, and audits not only enhances the overall protection of the WordPress site but also contributes to a more resilient and reliable online presence. As cyber threats continue to evolve, integrating
wp-cli into your security strategy empowers you to stay one step ahead, ensuring a secure WordPress environment.