Howto detect malware’s with WP-CLI

WP-CLI is the command-line interface for WordPress. You can update plugins, configure multisite installations and much more, without using a web browser. This tool need ssh access to server using it. More information for this tool found their homepage.

This tutorial we show how you can detect malware’s in WordPress installation.

WP-CLI Installation

Depend your server, but example cPanel server we can install it normal user home directory without root access:

[wordpress@localhost ~]$ pwd
/home/wordpress
mkdir bin
cd bin
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
mv wp-cli.phar wp
chmod 755 wp

More installing info here.

Checking malware in WordPress installation directory

cd ~/public_html
wp core verify-checksums

Sometimes there may some plugins which need skip to scan, so you can use this command:

wp core verify-checksums --skip-plugins

Here list files, that they not are original, so they may be modified and include malware:

Warning: File doesn't exist: index.php
Warning: File doesn't exist: wp-config-sample.php
Warning: File doesn't verify against checksum: wp-settings.php
Warning: File doesn't verify against checksum: wp-includes/theme-compat/footer.php
Warning: File doesn't verify against checksum: wp-includes/ID3/module.tag.id3v1.php
Warning: File doesn't verify against checksum: wp-admin/includes/ms.php
Warning: File doesn't verify against checksum: wp-admin/user-edit.php
Warning: File doesn't verify against checksum: wp-admin/link.php
Warning: File doesn't verify against checksum: wp-admin/install.php

Here are also files that should not exist, so we need look them manually also and check is there malware and then take action like delete files:

Warning: File should not exist: wp-admin/css/colors/blue/default.php
Warning: File should not exist: wp-admin/css/colors/midnight/sq.php
Warning: File should not exist: wp-admin/css/lsvdkpaw.php
Warning: File should not exist: wp-admin/network/sq.php
Warning: File should not exist: wp-admin/.htaccess
Warning: File should not exist: wp-includes/js/jquery/ui/ienlfuel.php
Warning: File should not exist: wp-includes/IXR/rebnghol.php
Warning: File should not exist: wp-includes/capsyqjw.php
Warning: File should not exist: wp-includes/bmF2aWdvaW5uaW5vcGV0dGFqYXQuZmk=.txt
Warning: File should not exist: wp-includes/d3d3Lm5hdmlnb2lubmlub3BldHRhamF0LmZp.txt
Warning: File should not exist: wp-includes/.htaccess
Error: WordPress installation doesn't verify against checksums.

Here simple Guide to check files to detect malwares and remove them.

Final words

Always make your WordPress installation up to date, like core, plugins and theme files. If you are a server administrator, you may also use ModSecurity to get full protection to a web applications.