How to clean your WordPress website from a hack – diy first time accurately – step by step command line

It can be frustrating, costly and a bit scary when your website gets hacked.

Most hosting companies will simply ban or disable your WordPress website if it gets hacked.

Most quotes are around the USD$250 to clean your website for you – you can do it yourself for free.

This is the most accurate way of cleaning hacks.

Lots of other posts rely on finding the hack – this method largely removes everything, and installs a fresh copy.

By the time you are finished WordPress core, plugins and themes are all updated.

Here’s a few simple steps, you can do it yourself using the command line.

• backup your website

surely you are doing this already. The best hacking cure is good backups.

If you backup right now though, you can be more confident in deleting things. You can always restore a few folders from your backup easily enough.

It would be super smart to run the recovery on your local dev environment, or a seperate server. And test that it works there.

• take a copy of wp-config.php

cp wp-config.php /tmp/wp-config.php.mysitename 

• delete all *.php files in your main WordPress folder, and put back wp-config.php

 rm -f *.php 

• delete these folders : wp-admin, wp-includes. You should keep wp-content , but delete other folder if you are unsure.

 rm -rf wp-admin wp-includes
 # review for suspect folders
 ls -d */

• check wp-content/uploads folder (and sub folders) for any suspect files, any *.php files. just delete anything that isn’t data from your media library. Delete any cache folders

 # almost always delete php files in your uploads folder
 find wp-content/uploads/|grep php 
 # review for suspect files
 find  wp-content/uploads/ -type f|grep -v -i -E "jpg|png|gif|pdf|mp4"
 # review for cache fodlers
 find  wp-content/uploads/ -type d|grep -i cache
 # only run this if you need to delete the cache folders above
 # find  wp-content/uploads/ -type d|grep -i cache | xargs rm -f 

• download latest.zip or latest.tar.gz from  https://wordpress.org/download/ – unzip/untar this and copy it’s contents on top of your WordPress install.

 cd /home/username  #to the folder just before the real wordpress installed folder
wget https://wordpress.org/latest.tar.gz
mv public_html wordpress  # we are just renaming the wordpress folder to wordpress
tar zxvf latest.tar.gz # this will write into wordpress/ , and overwrite existing files
mv wordpress public_html # rename it back

• go into your plugins folder. for each folder in there, search the folder name in https://wordpress.org/plugins/ . Download the latest copy of each plugin, delete the plugin folder from your install, and unzip the fresh copy you downloaded.

 cd wp-content/plugins
ls -d */
# get the first plugin name (it's called the slug, each folder is a slug)
rm -rf slug
# find the URL of the latest plugin version, search in https://wordpress.org/plugins/ for the slug, right click 'copy link address'
wget https://downloads.wordpress.org/plugin/wp-hosting-performance-check.2.18.8.zip  # paste the link after wget
unzip wp-hosting-performance-check.2.18.8.zip
rm -f wp-hosting-performance-check.2.18.8.zip
# then do each plugin - it takes a while

• go into your themes folder. delete unused themes. upgrade them the similarly to the plugins.
• copy your wp-config.php back. You might want to quickly check wp-config.php for any hacks. If you are unsure don’t copy it back, just copy the mysql credentials into a fresh copy.

 cp /tmp/wp-config.pgp.yoursitename wp-config.php 

• that should clean almost all hacks – and get your site back online. You might have to open a support request for your hosting company to rescan your site.
• once your website is back online, install WordFence and do a scan with ‘high sensitivity’ enabled.
• change the password for admin users. While you’re there check for an nefarious looking users, or newly added users.
• change the WordPress salts. (google this one)
• take a quick peak into .htaccess, if you are unsure copy the .htaccess file from a non-hacked install.

Of course you could instead use our hosting at wpdone – with all our security and guarantees.

By Scott Farrell on September 12th, 2018 , Follow @scott_WordPress Tweet to @scott_WordPress