Ned Hello, I'm Nedim, a Cloud Engineer who enjoys writing about technology, particularly focusing on Linux and DevOps. Recently, I've been delving into topics like digital marketing, online presence, and startup culture.

Unlocking Your WordPress Site: Leveraging wp-cli for Swift Recovery After a Hack

Unlocking Your WordPress Site: Leveraging wp-cli for Swift Recovery After a Hack

This article covers what to do when your WordPress installation gets hacked or infected with malware. The attacker might have disabled your login so it is important not only to clean your WordPress but to check if new users have been added and change your passwords. I will show you how to do all that without signing in to your WordPress. All that you need is to SSH to your server and install wp-cli. Please note that this tutorial gives you advice on how to proactively do maintenance before a disaster happens. Examples like WordPress core, plugins and themes checksum verification, WordPress core plugins and themes updates can be performed daily.

Tip: Do not forget that having backups can save you a lot of time spent on data recovery.

The Importance of WordPress

Looking at the stats you can see that almost 50% of all websites on the net are powered by WordPress. The popularity of WordPress continues to grow, and it remains one of the most widely used content management systems globally. Therefore it is no surprise that it gets hacked so much.

Introduction to wp-cli

What is wp-cli?

From the website: “WP-CLI is the command-line interface for WordPress. You can update plugins, configure multi-site installations, and much more, without using a web browser.”.

Why wp-cli?

My experience is that you need a way to fix the site without logging in to the WordPress back-end and doing it programmatic. This is where wp-cli comes in.


It is simple:

curl -O
php wp-cli.phar --info
chmod +x wp-cli.phar
sudo mv wp-cli.phar /usr/local/bin/wp

Search and Detect Modified WordPress Files

Search and Detect Modified WordPress Files

Follow the next steps to detect modified and infected files of WordPress installation.

File Integrity Checks

WordPress Core checksum

Verify check-sums

wp core verify-checksums

Tip: Do not forget to check files in the web root directory that are not part of WordPress.

Verify all files in the web root

Verify all files and folders in the root directory, and warn if any non-WordPress items are found.

wp core verify-checksums --include-root

Tip: Do not forget to delete old WordPress or installations from the Webroot as attackers can use them as a backdoor.

WordPress Plugin Checksum

Do a Plugin checksum.

wp plugin verify-checksums --all

Find files that should not be there.

find wp-content/uploads -type f -name "*.php"

Search for scripts hidden in the database.

wp db search "<script"

wp db search '(<script|eval\(|atob|fromCharCode)' --regex

Find images with backdoor functions

find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php

Find files with iframes

find . -type f -name '*.php'| grep -i '<iframe'

Cleaning of Compromised and Altered WordPress Files.

Reinstall WordPress

This command will not cause any data loss as it only re-installs the core files and leaves any user content intact.

wp core download --force

Plugin and Theme update process

Plugin check

This is how to update all plugins.

wp plugin update --all

Theme check

This is how to update all themes.

wp theme update --all

Force reinstall of all plugins and themes

wp plugin install $(wp plugin list --field=name) --force
wp theme install $(wp theme list --field=name) --force

User check

List all users and check if there are any suspicious newly added users.

wp user list

Delete any users that you find suspicious.

wp user delete 99 --yes

Change the password for all users

wp user update 1 --user_pass=My_Random_Strong_Password_

Tip: Good practice is to change passwords for all WordPress users after a hack.


Deactivate all plugins

The site might be broken because of a bad plugin. The first step is to deactivate all plugins and then activate them one by one until you find the problematic plugin.

wp plugin deactivate --all

with a SQL query, in case wp-cli fails.

wp db query "UPDATE wp_options SET option_value = '' WHERE option_name = 'active_plugins';"


In conclusion, using wp-cli for the security maintenance of WordPress is a proactive and efficient approach to safeguarding your website. By utilizing this powerful command-line interface, users can optimize security tasks, implement proactive measures, and respond quickly to potential threats. The ability to automate security checks, updates, and audits not only enhances the overall protection of the WordPress site but also contributes to a more resilient and reliable online presence. As cyber threats continue to evolve, integrating wp-cli into your security strategy empowers you to stay one step ahead, ensuring a secure WordPress environment.