Updated: How to find and clean up infected WordPress Files over SSH

Published: 02, May 2020

Several years ago, I wrote what was and still is one of my most popular blogs to date. It’s an article where I provided some tips and tricks on finding infected WordPress files on your server.

These days I’m doing a lot less (practically none) WordPress development as I’ve moved over to static sites utilizing GatsbyJS.

Anyways, I recently was cleaning up an old server of mine and found quite a few hacked files.

Most of these files could be broken down into two different categories.. Files with random names like a6bu23.php and so on, while other files were a bit harder to find.. Like about.php gallery.php etc.

In order to track down as many of the files in as few commands as possible, I ended up with the following patterns:

find . -name "*.php"  -print0 | xargs -0 egrep -Ri '($_COOKIE, $_POST) as' *| awk -F' = ' '{print $1}' >> infectedfiles.txt
find . -name "*.php"  -print0 | xargs -0 egrep -Ri '@include "\\' *|awk -F'e "' '{ print $1 }'|awk -F':@' '{ print $1 }' >> infectedfiles.txt

With these two commands, I was quickly able to generate a list that I could sort, organize and filter which allowed me to decide on which files could easily be removed at a glance, and which files required further investigation/pruning.

Another handy tip I like to do is cd into each WordPress install on the command line and update everything (prevents me from having to manually login to WordPress in the browser for dozens of sites and update them manually)

To Update the core

wp core update --force

To Update the plugins

wp plugin update --all

This is usually a really good idea as it will ensure there’s no traces of hacked files.. Even if you’re running the most up to date version of WordPress, running the core update command above will ensure that all files are replaced with good, clean WordPress files.