WordPress Security & Maintenance Archives - WP-CLI Mastery

Automate WordPress Security Scanning and Monitoring with WP-CLI

Krasen — Sun, 15 Feb 2026 09:00:00 +0000

WordPress security requires constant vigilance—manually checking for plugin vulnerabilities, monitoring file changes, detecting malware, verifying core integrity, and reviewing user permissions. Manual security audits happen infrequently and miss threats between checks.

Automated WordPress security scanning with WP-CLI detects vulnerabilities continuously, monitors file integrity, checks for malware patterns, validates checksums, and alerts on suspicious changes. Run comprehensive security scans daily without manual intervention.

In this guide, you’ll build automated WordPress security monitoring systems using WP-CLI, from basic vulnerability checks to production-grade security automation that protects your sites 24/7.

Why Automate WordPress Security?

Manual WordPress security checks don’t provide continuous protection against evolving threats.

Manual Security Limitations

Infrequent checks: Manual audits happen weekly or monthly, leaving gaps.

Human error: Manual reviews miss subtle security indicators.

Time-consuming: Comprehensive security audits take hours per site.

No real-time alerts: Breaches go undetected until the next manual check.

Limited scope: Can’t check every file, user, and configuration regularly.

Automated Security Benefits

Continuous monitoring: Security checks run automatically every day.

Instant alerts: Get notified immediately when threats are detected.

Comprehensive coverage: Scan every file, plugin, theme, and configuration.

Historical tracking: Log all security events for forensic analysis.

Multi-site management: Monitor dozens of WordPress sites from one system.

According to Sucuri research, automated security monitoring detects breaches 85% faster than manual audits.

Core File Integrity Verification

Detect unauthorized modifications to WordPress core files.

Checksum Verification

#!/bin/bash
# verify-core-integrity.sh

echo "WordPress Core Integrity Check"
echo "==============================="

# Verify core file checksums
if wp core verify-checksums; then
    echo "✓ Core files verified - no modifications detected"
else
    echo "✗ ALERT: Core files modified or corrupted"
    echo "Details:"
    wp core verify-checksums --format=json | jq -r '.[] | "  - \(.)"'

    # Send alert
    echo "Core file integrity check failed on $(hostname)" | \
        mail -s "WordPress Security Alert" admin@example.com
fi

Automated Daily Verification

#!/bin/bash
# daily-integrity-check.sh

LOG_FILE="/var/log/wp-security.log"

log() {
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $@" | tee -a "$LOG_FILE"
}

log "Starting core integrity check"

# Check WordPress core
if ! wp core verify-checksums 2>&1 | tee -a "$LOG_FILE"; then
    log "✗ Core integrity check FAILED"

    # Create detailed report
    {
        echo "WordPress Core Integrity Failure"
        echo "================================="
        echo "Timestamp: $(date)"
        echo "Server: $(hostname)"
        echo "WordPress version: $(wp core version)"
        echo ""
        echo "Modified files:"
        wp core verify-checksums 2>&1 | grep "^Error:"
    } | mail -s "URGENT: WordPress Core Modified" security@example.com

    exit 1
fi

log "✓ Core integrity check passed"

Learn about WordPress file integrity.

Plugin and Theme Vulnerability Detection

Check for known security vulnerabilities in plugins and themes.

WP-CLI Vulnerability Scanner

#!/bin/bash
# scan-vulnerabilities.sh

echo "WordPress Vulnerability Scan"
echo "============================"

# Check if WPScan CLI is available
if ! command -v wpscan &> /dev/null; then
    echo "Installing WPScan..."
    gem install wpscan
fi

# Update WPScan database
wpscan --update

# Scan WordPress installation
SCAN_RESULTS=$(wpscan --url "$(wp option get siteurl)" \
    --format json \
    --random-user-agent \
    --disable-tls-checks)

# Parse vulnerabilities
VULN_COUNT=$(echo "$SCAN_RESULTS" | jq '.plugins | to_entries[] | select(.value.vulnerabilities | length > 0) | .value.vulnerabilities | length' | awk '{s+=$1} END {print s}')

if [ "$VULN_COUNT" -gt 0 ]; then
    echo "✗ ALERT: $VULN_COUNT vulnerabilities detected"

    # Generate detailed report
    echo "$SCAN_RESULTS" | jq -r '.plugins | to_entries[] | select(.value.vulnerabilities | length > 0) | "Plugin: \(.key)\nVulnerabilities:\n\(.value.vulnerabilities[] | "  - \(.title) (Severity: \(.vuln_type))\n    Fixed in: \(.fixed_in // "No fix available")\n")"'

else
    echo "✓ No known vulnerabilities detected"
fi

Check Plugin Updates for Security Fixes

#!/bin/bash
# check-security-updates.sh

echo "Checking for security updates..."

# Get plugins with available updates
UPDATES=$(wp plugin list --update=available --format=json)

if [ "$UPDATES" != "[]" ]; then
    echo "Plugins with available updates:"
    echo "$UPDATES" | jq -r '.[] | "- \(.name) (Current: \(.version), Available: \(.update_version))"'

    # Check update changelogs for security keywords
    echo ""
    echo "Checking changelogs for security mentions..."

    echo "$UPDATES" | jq -r '.[].name' | while read PLUGIN; do
        CHANGELOG=$(wp plugin get "$PLUGIN" --field=update_changelog 2>/dev/null)

        if echo "$CHANGELOG" | grep -qi 'security\|vulnerability\|xss\|sql injection\|exploit'; then
            echo "⚠ SECURITY UPDATE AVAILABLE: $PLUGIN"
            echo "  Update immediately using: wp plugin update $PLUGIN"
        fi
    done
else
    echo "✓ All plugins up to date"
fi

Learn about WordPress security best practices.

File Change Monitoring

Detect unauthorized file modifications.

File Integrity Database

#!/bin/bash
# create-file-baseline.sh - Create baseline of file checksums

BASELINE_FILE="/var/backups/wp-file-baseline.txt"
WP_PATH="/var/www/html"

echo "Creating file integrity baseline..."

cd "$WP_PATH"

# Generate checksums for all WordPress files
find . -type f \
    -not -path "./wp-content/uploads/*" \
    -not -path "./wp-content/cache/*" \
    -not -path "./wp-content/backup/*" \
    -exec md5sum {} \; | sort > "$BASELINE_FILE"

echo "✓ Baseline created: $BASELINE_FILE"
echo "Total files: $(wc -l < $BASELINE_FILE)"

Detect File Changes

#!/bin/bash
# detect-file-changes.sh

BASELINE_FILE="/var/backups/wp-file-baseline.txt"
WP_PATH="/var/www/html"
REPORT_FILE="/tmp/file-changes-$(date +%Y%m%d).txt"

if [ ! -f "$BASELINE_FILE" ]; then
    echo "ERROR: Baseline file not found. Run create-file-baseline.sh first."
    exit 1
fi

echo "Scanning for file changes..."

cd "$WP_PATH"

# Generate current checksums
find . -type f \
    -not -path "./wp-content/uploads/*" \
    -not -path "./wp-content/cache/*" \
    -not -path "./wp-content/backup/*" \
    -exec md5sum {} \; | sort > /tmp/current-checksums.txt

# Compare with baseline
{
    echo "WordPress File Change Report"
    echo "============================="
    echo "Date: $(date)"
    echo ""

    # Modified files
    echo "Modified Files:"
    comm -13 "$BASELINE_FILE" /tmp/current-checksums.txt | awk '{print $2}' | while read file; do
        if grep -q "$file" "$BASELINE_FILE"; then
            echo "  MODIFIED: $file"
        fi
    done

    echo ""

    # New files
    echo "New Files:"
    comm -13 "$BASELINE_FILE" /tmp/current-checksums.txt | awk '{print $2}' | while read file; do
        if ! grep -q "$file" "$BASELINE_FILE"; then
            echo "  ADDED: $file"
        fi
    done

    echo ""

    # Deleted files
    echo "Deleted Files:"
    comm -23 "$BASELINE_FILE" /tmp/current-checksums.txt | awk '{print $2}' | while read file; do
        echo "  DELETED: $file"
    done

} > "$REPORT_FILE"

# Check if changes detected
CHANGE_COUNT=$(cat "$REPORT_FILE" | grep -c "MODIFIED:\|ADDED:\|DELETED:")

if [ "$CHANGE_COUNT" -gt 0 ]; then
    echo "✗ ALERT: $CHANGE_COUNT file changes detected"
    echo "Report: $REPORT_FILE"

    # Email report
    mail -s "WordPress File Changes Detected" admin@example.com < "$REPORT_FILE"
else
    echo "✓ No file changes detected"
fi

# Cleanup
rm /tmp/current-checksums.txt

Malware Pattern Scanning

Detect common malware patterns in WordPress files.

Basic Malware Scanner

#!/bin/bash
# scan-malware.sh - Detect common malware patterns

WP_PATH="/var/www/html"
REPORT_FILE="/tmp/malware-scan-$(date +%Y%m%d).txt"

echo "WordPress Malware Scan"
echo "======================"

# Suspicious patterns to check
declare -a PATTERNS=(
    "eval(base64_decode"
    "eval(gzinflate"
    "eval(str_rot13"
    "system(\$_"
    "shell_exec"
    "passthru"
    "base64_decode.*eval"
    "FilesMan"
    "r57shell"
    "c99shell"
    "WSO shell"
)

{
    echo "Malware Scan Report"
    echo "==================="
    echo "Date: $(date)"
    echo "Path: $WP_PATH"
    echo ""

    for PATTERN in "${PATTERNS[@]}"; do
        echo "Checking for: $PATTERN"

        MATCHES=$(grep -r -l -i "$PATTERN" "$WP_PATH" \
            --exclude-dir=wp-content/uploads \
            --exclude-dir=wp-content/cache \
            --exclude-dir=node_modules \
            --include="*.php" 2>/dev/null)

        if [ ! -z "$MATCHES" ]; then
            echo "✗ SUSPICIOUS: Files matching '$PATTERN':"
            echo "$MATCHES" | while read file; do
                echo "  - $file"
            done
            echo ""
        fi
    done

} > "$REPORT_FILE"

# Check if suspicious files found
SUSPICIOUS_COUNT=$(grep -c "✗ SUSPICIOUS:" "$REPORT_FILE" || echo 0)

if [ "$SUSPICIOUS_COUNT" -gt 0 ]; then
    echo "✗ ALERT: Potential malware detected"
    echo "Report: $REPORT_FILE"

    # Send alert
    mail -s "URGENT: Potential Malware Detected" security@example.com < "$REPORT_FILE"
else
    echo "✓ No malware patterns detected"
fi

Check for Suspicious Files

#!/bin/bash
# check-suspicious-files.sh

WP_PATH="/var/www/html"

echo "Checking for suspicious files..."

# Check for unusual file types in wp-content
echo "Checking for executable files in wp-content..."
find "$WP_PATH/wp-content" \
    -type f \
    \( -name "*.exe" -o -name "*.sh" -o -name "*.bat" \) \
    -print

# Check for PHP files in uploads directory
echo "Checking for PHP files in uploads..."
find "$WP_PATH/wp-content/uploads" -name "*.php" -print

# Check for recently modified files (last 24 hours)
echo "Recently modified PHP files (last 24 hours)..."
find "$WP_PATH" -name "*.php" -mtime -1 -type f -print

# Check for files with suspicious permissions
echo "Files with 777 permissions..."
find "$WP_PATH" -type f -perm 0777 -print

Learn about WordPress malware detection.

User Account Security Auditing

Monitor user accounts for security issues.

User Security Audit

#!/bin/bash
# audit-users.sh

echo "WordPress User Security Audit"
echo "=============================="

# Check for users with admin privileges
echo "Administrator Accounts:"
wp user list --role=administrator --format=table --fields=ID,user_login,user_email,user_registered

ADMIN_COUNT=$(wp user list --role=administrator --format=count)
if [ "$ADMIN_COUNT" -gt 3 ]; then
    echo "⚠ WARNING: $ADMIN_COUNT administrator accounts (recommended: 1-2)"
fi

echo ""

# Check for weak usernames
echo "Checking for common/weak usernames..."
WEAK_USERS=("admin" "administrator" "root" "test" "demo")

for USERNAME in "${WEAK_USERS[@]}"; do
    if wp user get "$USERNAME" &>/dev/null; then
        echo "✗ WARNING: Common username detected: $USERNAME"
        echo "  Recommended: Delete or rename this account"
    fi
done

echo ""

# Check for inactive admin accounts
echo "Inactive Administrator Accounts (no posts/pages):"
wp user list --role=administrator --format=json | \
    jq -r '.[] | select(.posts == "0") | "- \(.user_login) (registered: \(.user_registered))"'

echo ""

# Check user capabilities
echo "Users with 'delete_users' capability:"
wp user list --format=json | \
    jq -r '.[] | select(.roles[] | contains("administrator")) | .user_login'

Password Policy Check

#!/bin/bash
# check-password-policy.sh

echo "Password Policy Check"
echo "===================="

# This requires custom code to check password strength
# WordPress doesn't expose password hashes via WP-CLI for security

# Check for recent password changes
echo "Users who haven't changed password recently:"
# This would require custom user meta tracking

# Check for 2FA status (if plugin installed)
if wp plugin is-installed two-factor; then
    echo "2FA Status:"
    wp user list --format=json | \
        jq -r '.[] | "\(.user_login): \(if .two_factor_enabled then "Enabled" else "DISABLED" end)"'
fi

# List users who can install plugins/themes
echo ""
echo "Users with plugin/theme installation privileges:"
wp user list --role=administrator,editor --format=csv --fields=user_login,roles

Comprehensive Security Report

Generate complete security assessment reports.

Master Security Script

#!/bin/bash
# comprehensive-security-check.sh

REPORT_FILE="/tmp/wordpress-security-report-$(date +%Y%m%d).txt"
LOG_FILE="/var/log/wp-security.log"

log() {
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $@" | tee -a "$LOG_FILE"
}

{
    echo "WordPress Comprehensive Security Report"
    echo "========================================"
    echo "Generated: $(date)"
    echo "Server: $(hostname)"
    echo ""

    # Core integrity
    echo "1. Core File Integrity"
    echo "----------------------"
    if wp core verify-checksums; then
        echo "✓ PASS: Core files verified"
    else
        echo "✗ FAIL: Core file modifications detected"
    fi
    echo ""

    # Plugin security
    echo "2. Plugin Security"
    echo "------------------"
    PLUGIN_UPDATES=$(wp plugin list --update=available --format=count)
    echo "Plugins needing updates: $PLUGIN_UPDATES"

    if [ "$PLUGIN_UPDATES" -eq 0 ]; then
        echo "✓ PASS: All plugins up to date"
    else
        echo "⚠ WARNING: Plugin updates available"
        wp plugin list --update=available --format=table --fields=name,version,update_version
    fi
    echo ""

    # Theme security
    echo "3. Theme Security"
    echo "-----------------"
    THEME_UPDATES=$(wp theme list --update=available --format=count)
    echo "Themes needing updates: $THEME_UPDATES"
    echo ""

    # User accounts
    echo "4. User Account Security"
    echo "------------------------"
    ADMIN_COUNT=$(wp user list --role=administrator --format=count)
    echo "Administrator accounts: $ADMIN_COUNT"

    if [ "$ADMIN_COUNT" -gt 3 ]; then
        echo "⚠ WARNING: Too many administrator accounts"
    else
        echo "✓ PASS: Administrator count acceptable"
    fi
    echo ""

    # SSL/HTTPS check
    echo "5. SSL/HTTPS Configuration"
    echo "--------------------------"
    SITE_URL=$(wp option get siteurl)
    if [[ "$SITE_URL" == https://* ]]; then
        echo "✓ PASS: HTTPS enabled"
    else
        echo "✗ FAIL: Site not using HTTPS"
    fi
    echo ""

    # File permissions
    echo "6. File Permissions"
    echo "-------------------"
    INSECURE_FILES=$(find . -type f -perm 0777 | wc -l)
    echo "Files with 777 permissions: $INSECURE_FILES"

    if [ "$INSECURE_FILES" -eq 0 ]; then
        echo "✓ PASS: No files with overly permissive permissions"
    else
        echo "⚠ WARNING: Insecure file permissions detected"
    fi
    echo ""

    # WordPress version
    echo "7. WordPress Version"
    echo "--------------------"
    CURRENT_VERSION=$(wp core version)
    LATEST_VERSION=$(wp core check-update --format=json | jq -r '.[0].version // empty')

    echo "Current version: $CURRENT_VERSION"
    echo "Latest version: ${LATEST_VERSION:-$CURRENT_VERSION}"

    if [ -z "$LATEST_VERSION" ]; then
        echo "✓ PASS: WordPress is up to date"
    else
        echo "⚠ WARNING: WordPress update available"
    fi

} > "$REPORT_FILE"

log "Security report generated: $REPORT_FILE"

# Email report
mail -s "WordPress Security Report - $(hostname)" admin@example.com < "$REPORT_FILE"

echo "✓ Security report complete: $REPORT_FILE"

Automated Scheduling

Run security scans automatically with cron.

Cron Configuration

# Add to crontab: crontab -e

# Daily core integrity check at 2 AM
0 2 * * * /usr/local/bin/verify-core-integrity.sh >> /var/log/wp-security.log 2>&1

# Daily vulnerability scan at 3 AM
0 3 * * * /usr/local/bin/scan-vulnerabilities.sh >> /var/log/wp-security.log 2>&1

# Daily file change detection at 4 AM
0 4 * * * /usr/local/bin/detect-file-changes.sh >> /var/log/wp-security.log 2>&1

# Weekly comprehensive security report (Mondays at 8 AM)
0 8 * * 1 /usr/local/bin/comprehensive-security-check.sh

# Monthly user audit (first day of month)
0 9 1 * * /usr/local/bin/audit-users.sh | mail -s "Monthly User Audit" admin@example.com

Learn about WordPress security monitoring.

Next Steps

You now have automated WordPress security scanning and monitoring capabilities with WP-CLI.

Recommended Learning Path

Week 1: Core security

Implement core integrity checks
Set up vulnerability scanning
Test alerting systems

Week 2: File monitoring

Create file baselines
Configure change detection
Add malware scanning

Week 3: User security

Audit user accounts
Check permissions
Implement password policies

Week 4: Automation

Schedule all security checks
Configure comprehensive reports
Integrate with monitoring tools

Advanced Topics

Intrusion Detection Systems – Advanced threat detection
Security Information and Event Management (SIEM) – Centralized security monitoring
Automated Incident Response – Automatic threat mitigation

Get More Resources

Download security scripts including:

Complete scanning system
Monitoring tools
Report templates

Join our email course for:

Weekly WP-CLI tutorials
Security best practices
Threat response strategies

Conclusion

Automated WordPress security scanning with WP-CLI provides continuous protection against vulnerabilities, malware, and unauthorized changes—detecting threats before they compromise your sites.

What we covered:

✅ Core file integrity verification
✅ Plugin and theme vulnerability detection
✅ File change monitoring and alerting
✅ Malware pattern scanning
✅ User account security auditing
✅ Comprehensive automated security reports

Implement these security automation systems, and you’ll detect threats immediately—protecting WordPress sites 24/7 without constant manual monitoring.

Ready for more? Learn incident response or WordPress hardening.

Questions about WordPress security automation? Drop a comment below!

Found this helpful? Share with other WordPress administrators.

The post Automate WordPress Security Scanning and Monitoring with WP-CLI appeared first on WP-CLI Mastery.

Safe WordPress Update Automation with WP-CLI: Testing and Rollback

Krasen — Mon, 05 Jan 2026 09:00:00 +0000

Manually updating WordPress sites is tedious, but blindly automating updates without safety checks destroys sites when incompatible plugins break, themes conflict, or updates corrupt databases. One bad update at 3 AM can take your production site offline for hours.

WP-CLI enables safe update automation with pre-update backups, staged testing, automatic rollback on failure, and comprehensive monitoring. Build production-ready update workflows that protect your sites while keeping them secure and current.

In this guide, you’ll learn professional WordPress update automation techniques with safety mechanisms, testing procedures, and rollback strategies used by enterprises managing hundreds of WordPress installations.

Why Safe Update Automation Matters

WordPress updates are critical for security, but unsafe automation causes more problems than it solves.

Dangers of Unsafe Update Automation

Site breakage: Incompatible plugin updates break functionality without warning.

Data loss: Database updates without backups cause irrecoverable data corruption.

Downtime: Failed updates leave sites inaccessible during business hours.

Security vulnerabilities: Partial updates create new attack vectors.

No recovery: Without rollback procedures, fixing failed updates takes hours.

Safe Update Automation Principles

Test first: Validate updates on staging before touching production.

Backup always: Never update without verified, restorable backups.

Rollback ready: Automated failure detection and instant recovery.

Monitor constantly: Track update success and site health post-update.

Staged rollouts: Update test environments, then production incrementally.

According to WordPress maintenance studies, 25% of automated updates fail without proper safety mechanisms, causing site outages.

Pre-Update Safety Checks

Validate environment before executing updates.

System Requirements Verification

#!/bin/bash
# pre-update-checks.sh - Validate system before updates

echo "Running pre-update checks..."

# Check WordPress is installed
if ! wp core is-installed 2>/dev/null; then
    echo "✗ WordPress not installed"
    exit 1
fi

# Check database connection
if ! wp db check 2>/dev/null; then
    echo "✗ Database connection failed"
    exit 1
fi

# Check disk space (need at least 500MB)
AVAILABLE=$(df /var/www | tail -1 | awk '{print $4}')
if [ "$AVAILABLE" -lt 500000 ]; then
    echo "✗ Insufficient disk space: ${AVAILABLE}KB available"
    exit 1
fi

# Check WP-CLI version
WP_CLI_VERSION=$(wp cli version --allow-root 2>/dev/null | grep -oP '\d+\.\d+\.\d+')
echo "WP-CLI version: $WP_CLI_VERSION"

# Check for maintenance mode
if [ -f ".maintenance" ]; then
    echo "✗ Site already in maintenance mode"
    exit 1
fi

echo "✓ All pre-update checks passed"

Check for Available Updates

# Check WordPress core updates
CORE_UPDATE=$(wp core check-update --format=count)
echo "Core updates available: $CORE_UPDATE"

# Check plugin updates
PLUGIN_UPDATES=$(wp plugin list --update=available --format=count)
echo "Plugin updates available: $PLUGIN_UPDATES"

# Check theme updates
THEME_UPDATES=$(wp theme list --update=available --format=count)
echo "Theme updates available: $THEME_UPDATES"

# List specific updates
if [ "$PLUGIN_UPDATES" -gt 0 ]; then
    echo "Plugins requiring updates:"
    wp plugin list --update=available --fields=name,version,update_version
fi

Learn about WordPress update best practices.

Automated Backup Before Updates

Never update without verified backups and rollback capability.

Complete Backup Script

#!/bin/bash
# backup-before-update.sh

set -euo pipefail

SITE_PATH="/var/www/html"
BACKUP_DIR="/backups/pre-update"
DATE=$(date +%Y%m%d_%H%M%S)
BACKUP_NAME="backup-$DATE"

mkdir -p "$BACKUP_DIR"
cd "$SITE_PATH"

echo "Creating pre-update backup..."

# Export database
echo "Backing up database..."
wp db export "$BACKUP_DIR/$BACKUP_NAME.sql.gz"

# Verify database backup
DB_SIZE=$(stat -c%s "$BACKUP_DIR/$BACKUP_NAME.sql.gz")
if [ "$DB_SIZE" -lt 1000 ]; then
    echo "✗ Database backup too small, aborting"
    exit 1
fi

# Backup critical files
echo "Backing up files..."
tar -czf "$BACKUP_DIR/$BACKUP_NAME-files.tar.gz" \
    wp-content/plugins \
    wp-content/themes \
    wp-content/uploads \
    wp-config.php

# Verify file backup
FILE_SIZE=$(stat -c%s "$BACKUP_DIR/$BACKUP_NAME-files.tar.gz")
if [ "$FILE_SIZE" -lt 10000 ]; then
    echo "✗ File backup too small, aborting"
    exit 1
fi

# Create backup manifest
cat > "$BACKUP_DIR/$BACKUP_NAME-manifest.txt" <
Backup Created: $(date)
WordPress Version: $(wp core version)
Database Size: $(du -h "$BACKUP_DIR/$BACKUP_NAME.sql.gz" | cut -f1)
Files Size: $(du -h "$BACKUP_DIR/$BACKUP_NAME-files.tar.gz" | cut -f1)
Site URL: $(wp option get siteurl)
EOF

echo "✓ Backup complete: $BACKUP_NAME"
echo "$BACKUP_NAME" > /tmp/last-backup-name.txt

Verify Backup Integrity

#!/bin/bash
# verify-backup.sh

BACKUP_NAME=$(cat /tmp/last-backup-name.txt)
BACKUP_DIR="/backups/pre-update"

echo "Verifying backup: $BACKUP_NAME"

# Test database file integrity
if gunzip -t "$BACKUP_DIR/$BACKUP_NAME.sql.gz" 2>/dev/null; then
    echo "✓ Database backup integrity OK"
else
    echo "✗ Database backup corrupted"
    exit 1
fi

# Test tarball integrity
if tar -tzf "$BACKUP_DIR/$BACKUP_NAME-files.tar.gz" >/dev/null 2>&1; then
    echo "✓ File backup integrity OK"
else
    echo "✗ File backup corrupted"
    exit 1
fi

echo "✓ Backup verification complete"

Safe Update Execution

Execute updates with safety mechanisms and monitoring.

Update with Automatic Rollback

#!/bin/bash
# safe-update.sh - Update with automatic rollback on failure

set -e

SITE_PATH="/var/www/html"
LOG_FILE="/var/log/wp-updates.log"

log() {
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $@" | tee -a "$LOG_FILE"
}

rollback() {
    log "ERROR: Update failed, initiating rollback..."

    BACKUP_NAME=$(cat /tmp/last-backup-name.txt)
    BACKUP_DIR="/backups/pre-update"

    # Restore database
    cd "$SITE_PATH"
    wp db import "$BACKUP_DIR/$BACKUP_NAME.sql.gz"

    # Restore files
    tar -xzf "$BACKUP_DIR/$BACKUP_NAME-files.tar.gz" -C "$SITE_PATH"

    # Clear caches
    wp cache flush
    wp rewrite flush

    log "✓ Rollback complete, site restored"
    exit 1
}

# Register rollback on error
trap rollback ERR

cd "$SITE_PATH"

log "=== WordPress Update Started ==="

# Pre-update checks
bash /usr/local/bin/pre-update-checks.sh

# Create backup
bash /usr/local/bin/backup-before-update.sh

# Verify backup
bash /usr/local/bin/verify-backup.sh

# Enable maintenance mode
wp maintenance-mode activate

log "Updating WordPress core..."
wp core update

log "Updating plugins..."
wp plugin update --all

log "Updating themes..."
wp theme update --all

# Verify WordPress still works
if ! wp core is-installed; then
    log "✗ WordPress verification failed"
    rollback
fi

# Test database
if ! wp db check; then
    log "✗ Database check failed"
    rollback
fi

# Disable maintenance mode
wp maintenance-mode deactivate

# Clear caches
wp cache flush
wp rewrite flush

log "=== Update Complete Successfully ==="

Staged Update Strategy

#!/bin/bash
# staged-update.sh - Update staging first, then production

STAGING_PATH="/var/www/staging"
PROD_PATH="/var/www/production"

echo "Stage 1: Updating staging environment..."
cd "$STAGING_PATH"
bash /usr/local/bin/safe-update.sh

# Wait for manual verification
echo "Staging updated. Please verify functionality."
read -p "Proceed with production update? (y/n) " -n 1 -r
echo

if [[ ! $REPLY =~ ^[Yy]$ ]]; then
    echo "Production update cancelled"
    exit 0
fi

echo "Stage 2: Updating production..."
cd "$PROD_PATH"
bash /usr/local/bin/safe-update.sh

echo "✓ Staged rollout complete"

Post-Update Validation

Verify site health after updates.

Comprehensive Health Check

#!/bin/bash
# post-update-validation.sh

SITE_URL=$(wp option get siteurl)

echo "Running post-update validation..."

# Check WordPress core
if wp core verify-checksums 2>/dev/null; then
    echo "✓ WordPress core files intact"
else
    echo "✗ Core file verification failed"
    exit 1
fi

# Check database
if wp db check 2>/dev/null; then
    echo "✓ Database healthy"
else
    echo "✗ Database issues detected"
    exit 1
fi

# Test site accessibility
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" "$SITE_URL")
if [ "$HTTP_CODE" -eq 200 ]; then
    echo "✓ Site accessible (HTTP $HTTP_CODE)"
else
    echo "✗ Site not accessible (HTTP $HTTP_CODE)"
    exit 1
fi

# Check admin panel
ADMIN_URL="${SITE_URL}/wp-admin/"
ADMIN_CODE=$(curl -s -o /dev/null -w "%{http_code}" "$ADMIN_URL")
if [ "$ADMIN_CODE" -eq 200 ] || [ "$ADMIN_CODE" -eq 302 ]; then
    echo "✓ Admin panel accessible"
else
    echo "✗ Admin panel issues (HTTP $ADMIN_CODE)"
fi

# Check critical pages
CRITICAL_PAGES=("/" "/about" "/contact")
for PAGE in "${CRITICAL_PAGES[@]}"; do
    URL="${SITE_URL}${PAGE}"
    CODE=$(curl -s -o /dev/null -w "%{http_code}" "$URL")

    if [ "$CODE" -eq 200 ]; then
        echo "✓ $PAGE accessible"
    else
        echo "✗ $PAGE failed (HTTP $CODE)"
    fi
done

echo "✓ Post-update validation complete"

Automated Testing

#!/bin/bash
# test-critical-functionality.sh

cd /var/www/html

echo "Testing critical WordPress functionality..."

# Test plugin activation
TEST_PLUGIN="hello-dolly"
if wp plugin is-installed $TEST_PLUGIN; then
    if wp plugin activate $TEST_PLUGIN 2>/dev/null; then
        echo "✓ Plugin activation works"
        wp plugin deactivate $TEST_PLUGIN 2>/dev/null
    else
        echo "✗ Plugin activation failed"
        exit 1
    fi
fi

# Test post creation
TEST_POST=$(wp post create \
    --post_title="Test Post" \
    --post_content="Testing functionality" \
    --post_status=draft \
    --porcelain 2>/dev/null)

if [ -n "$TEST_POST" ]; then
    echo "✓ Post creation works"
    wp post delete $TEST_POST --force
else
    echo "✗ Post creation failed"
    exit 1
fi

# Test cache flush
if wp cache flush 2>/dev/null; then
    echo "✓ Cache operations work"
else
    echo "✗ Cache operations failed"
fi

echo "✓ Functionality tests passed"

Learn about WordPress maintenance mode.

Update Monitoring and Alerts

Track update success and detect issues.

Update Status Reporting

#!/bin/bash
# update-report.sh - Generate update status report

REPORT_FILE="/tmp/update-report-$(date +%Y%m%d).txt"
ADMIN_EMAIL="admin@example.com"

{
    echo "WordPress Update Report"
    echo "Generated: $(date)"
    echo "========================"
    echo ""

    echo "WordPress Version:"
    wp core version --extra
    echo ""

    echo "Plugin Status:"
    wp plugin list --format=table
    echo ""

    echo "Theme Status:"
    wp theme list --format=table
    echo ""

    echo "Update Check:"
    CORE_UPDATES=$(wp core check-update --format=count)
    PLUGIN_UPDATES=$(wp plugin list --update=available --format=count)
    THEME_UPDATES=$(wp theme list --update=available --format=count)

    echo "Core updates available: $CORE_UPDATES"
    echo "Plugin updates available: $PLUGIN_UPDATES"
    echo "Theme updates available: $THEME_UPDATES"
    echo ""

    if [ "$PLUGIN_UPDATES" -gt 0 ]; then
        echo "Plugins Needing Updates:"
        wp plugin list --update=available --fields=name,version,update_version
        echo ""
    fi

} > "$REPORT_FILE"

# Email report
mail -s "WordPress Update Report" "$ADMIN_EMAIL" < "$REPORT_FILE"

echo "✓ Update report sent to $ADMIN_EMAIL"

Failure Notifications

#!/bin/bash
# notify-update-failure.sh

ADMIN_EMAIL="admin@example.com"
SITE_NAME=$(wp option get blogname)
SITE_URL=$(wp option get siteurl)

ERROR_MSG="WordPress Update Failure Alert

Site: $SITE_NAME
URL: $SITE_URL
Time: $(date)
Server: $(hostname)

A WordPress update has failed and the site has been rolled back to the previous state.

Please investigate immediately and review the update logs.

Log file: /var/log/wp-updates.log"

echo "$ERROR_MSG" | mail -s "URGENT: WordPress Update Failed on $SITE_NAME" "$ADMIN_EMAIL"

Production-Ready Update Automation

Complete automated update system for production environments.

Master Update Script

#!/bin/bash
# master-update-automation.sh

set -euo pipefail

SITE_PATH="/var/www/html"
BACKUP_DIR="/backups/pre-update"
LOG_FILE="/var/log/wp-updates.log"
ADMIN_EMAIL="admin@example.com"

log() {
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $@" | tee -a "$LOG_FILE"
}

send_failure_alert() {
    echo "WordPress update failed on $(hostname) at $(date)" | \
        mail -s "WordPress Update Failure" "$ADMIN_EMAIL"
}

# Error handler
error_handler() {
    log "ERROR: Update failed at line $1"
    send_failure_alert
    exit 1
}

trap 'error_handler ${LINENO}' ERR

cd "$SITE_PATH"

log "=== Automated WordPress Update Started ==="

# Pre-update checks
log "Running pre-update checks..."
bash /usr/local/bin/pre-update-checks.sh

# Create backup
log "Creating backup..."
bash /usr/local/bin/backup-before-update.sh

# Verify backup
log "Verifying backup..."
bash /usr/local/bin/verify-backup.sh

# Enable maintenance mode
log "Enabling maintenance mode..."
wp maintenance-mode activate

# Update WordPress
log "Updating WordPress core..."
if wp core check-update --format=count | grep -q "^0
quot;; then
    log "WordPress core already up to date"
else
    wp core update
fi

# Update plugins (exclude problematic ones)
log "Updating plugins..."
EXCLUDE="woocommerce,elementor"  # Plugins to update manually
wp plugin update --all --exclude="$EXCLUDE"

# Update themes
log "Updating themes..."
wp theme update --all

# Post-update validation
log "Running post-update validation..."
bash /usr/local/bin/post-update-validation.sh

# Disable maintenance mode
log "Disabling maintenance mode..."
wp maintenance-mode deactivate

# Clear all caches
wp cache flush
wp rewrite flush

# Cleanup old backups (keep last 7)
find "$BACKUP_DIR" -name "backup-*" -mtime +7 -delete

log "=== Update Complete Successfully ==="

# Send success report
bash /usr/local/bin/update-report.sh

Schedule with cron:

# Run updates Sunday 3 AM
0 3 * * 0 /usr/local/bin/master-update-automation.sh

Next Steps

You now have production-ready WordPress update automation with comprehensive safety mechanisms.

Recommended Learning Path

Week 1: Safety fundamentals

Implement pre-update checks
Create backup workflows
Build rollback procedures

Week 2: Testing workflows

Set up staging environments
Automate post-update validation
Test critical functionality

Week 3: Monitoring

Build update reporting
Set up failure alerts
Track update history

Week 4: Production deployment

Automate complete workflows
Schedule updates
Document procedures

Advanced Topics

Blue-Green Deployments – Zero-downtime updates
Canary Releases – Gradual rollout strategies
Continuous Integration – Automated testing pipelines

Get More Resources

Download update automation scripts including:

Complete safety system
Testing frameworks
Monitoring tools

Join our email course for:

Weekly WP-CLI tutorials
Update automation strategies
DevOps best practices

Conclusion

Safe WordPress update automation with WP-CLI transforms risky manual updates into reliable, automated workflows that protect your sites while keeping them secure.

What we covered:

✅ Pre-update safety checks and validation
✅ Automated backup with verification
✅ Update execution with automatic rollback
✅ Post-update validation and testing
✅ Monitoring, alerts, and reporting
✅ Production-ready automation workflows

Master these techniques, and you’ll confidently automate WordPress updates knowing your sites are protected by multiple safety layers and instant recovery capabilities.

Ready for more? Learn WordPress deployment automation or infrastructure as code.

Questions about safe WordPress update automation? Drop a comment below!

Found this helpful? Share with other WordPress administrators.

The post Safe WordPress Update Automation with WP-CLI: Testing and Rollback appeared first on WP-CLI Mastery.

WordPress Malware Detection and Cleanup Using WP-CLI

Krasen — Mon, 24 Nov 2025 11:16:24 +0000

WordPress malware infections compromise site security, steal sensitive data, and damage reputation. WP-CLI provides powerful command-line tools for detecting, analyzing, and removing malware efficiently, often faster and more thoroughly than manual cleanup or GUI-based security plugins.

Understanding WordPress Malware

Malware manifests in various forms: backdoors granting unauthorized access, spam injection contaminating content, redirect scripts hijacking visitors, cryptominers consuming server resources, and data exfiltration code stealing information. Understanding these patterns helps identify and remove infections effectively.

Common infection vectors include vulnerable plugins or themes, weak passwords, compromised hosting environments, and outdated WordPress core. WP-CLI enables systematic scanning and cleanup across all potential infection points.

Initial Assessment and Backup

Before attempting cleanup, assess the infection scope and create comprehensive backups. This ensures you can recover if cleanup causes issues.

#!/bin/bash
# pre-cleanup-assessment.sh - Initial malware assessment

WP_PATH="/var/www/html"
BACKUP_DIR="/backups/malware-cleanup"
TIMESTAMP=$(date +%Y%m%d-%H%M%S)

mkdir -p "$BACKUP_DIR"

echo "=== Pre-Cleanup Assessment ==="

# Create complete backup
echo "Creating backup..."
wp --path="$WP_PATH" db export "$BACKUP_DIR/database-$TIMESTAMP.sql"
tar -czf "$BACKUP_DIR/files-$TIMESTAMP.tar.gz" -C "$(dirname $WP_PATH)" "$(basename $WP_PATH)"

# Get WordPress version
WP_VERSION=$(wp --path="$WP_PATH" core version)
echo "WordPress Version: $WP_VERSION"

# Check for core file modifications
echo "Checking core file integrity..."
wp --path="$WP_PATH" core verify-checksums

# List all users (especially admins)
echo "Admin users:"
wp --path="$WP_PATH" user list --role=administrator --fields=ID,user_login,user_email

# Check for suspicious users
echo "Recently created users:"
wp --path="$WP_PATH" user list --format=json | \
    jq -r '.[] | select(.roles | contains(["administrator"])) | "\(.ID)\t\(.user_login)\t\(.user_registered)"'

# List active plugins
echo "Active plugins:"
wp --path="$WP_PATH" plugin list --status=active --fields=name,version,update

# Check for suspicious scheduled tasks
echo "Scheduled cron events:"
wp --path="$WP_PATH" cron event list --format=table

echo "Assessment completed. Backup saved to: $BACKUP_DIR"

Core File Integrity Verification

WordPress core files rarely need modification. Any changes often indicate compromise.

# Verify core file checksums
wp core verify-checksums

# Get detailed output of modified files
wp core verify-checksums --format=json | jq -r '.[] | select(.status == "modified") | .file'

# Reinstall WordPress core (preserves wp-content and wp-config.php)
wp core download --force --skip-content

# Verify specific file
wp core verify-checksums wp-admin/index.php

Automated core file restoration:

#!/bin/bash
# restore-core-files.sh - Restore modified core files

WP_PATH="/var/www/html"

echo "Checking for modified core files..."

# Get list of modified files
MODIFIED_FILES=$(wp --path="$WP_PATH" core verify-checksums --format=csv | grep -v "^file,status$" | grep "should_not_exist\|not_found\|modified" | cut -d',' -f1)

if [ -z "$MODIFIED_FILES" ]; then
    echo "No modified core files found"
    exit 0
fi

echo "Modified files found:"
echo "$MODIFIED_FILES"

# Backup modified files before restoration
BACKUP_DIR="/backups/core-files-$(date +%Y%m%d-%H%M%S)"
mkdir -p "$BACKUP_DIR"

echo "$MODIFIED_FILES" | while read -r file; do
    if [ -f "$WP_PATH/$file" ]; then
        BACKUP_PATH="$BACKUP_DIR/$(dirname $file)"
        mkdir -p "$BACKUP_PATH"
        cp "$WP_PATH/$file" "$BACKUP_PATH/"
        echo "Backed up: $file"
    fi
done

# Reinstall core
echo "Reinstalling WordPress core..."
wp --path="$WP_PATH" core download --force --skip-content

# Verify restoration
if wp --path="$WP_PATH" core verify-checksums; then
    echo "Core files successfully restored"
else
    echo "Warning: Some core files still show modifications"
fi

Database Scanning and Cleanup

Malware often injects malicious code into the database, particularly in posts, options, and user metadata.

# Search database for common malware patterns
wp db query "SELECT * FROM wp_posts WHERE post_content LIKE '%base64_decode%' OR post_content LIKE '%eval(%' OR post_content LIKE '%gzinflate%'"

# Search options table
wp db query "SELECT * FROM wp_options WHERE option_value LIKE '%eval(%' OR option_value LIKE '%base64_decode%'"

# Find suspicious JavaScript injections
wp db query "SELECT post_id, post_title FROM wp_posts WHERE post_content LIKE '%# Check for malicious admin users
wp db query "SELECT * FROM wp_users WHERE user_login LIKE '%admin%' OR user_login REGEXP '^[0-9]+$'"

# Find posts with suspicious meta data
wp db query "SELECT meta_id, post_id, meta_key, meta_value FROM wp_postmeta WHERE meta_value LIKE '%





Comprehensive database scanning script:



#!/bin/bash
# scan-database.sh - Scan database for malware patterns

WP_PATH="/var/www/html"
REPORT_FILE="/var/log/malware-scan-$(date +%Y%m%d-%H%M%S).txt"

echo "=== WordPress Database Malware Scan ===" | tee "$REPORT_FILE"
echo "Date: $(date)" | tee -a "$REPORT_FILE"
echo "" | tee -a "$REPORT_FILE"

# Malware patterns to search for
PATTERNS=(
    "base64_decode"
    "eval("
    "gzinflate"
    "str_rot13"
    "preg_replace.*\/e"
    "assert("
    "stripslashes"
    "iframe src"
    "script src=.*http"
    "document.write"
)

# Tables to scan
TABLES=(
    "wp_posts"
    "wp_options"
    "wp_postmeta"
    "wp_usermeta"
    "wp_comments"
)

for pattern in "${PATTERNS[@]}"; do
    echo "Searching for pattern: $pattern" | tee -a "$REPORT_FILE"

    for table in "${TABLES[@]}"; do
        COUNT=$(wp --path="$WP_PATH" db query "SELECT COUNT(*) as count FROM $table" --skip-column-names 2>/dev/null)

        if [ "$COUNT" -gt 0 ]; then
            # Get column names for table
            COLUMNS=$(wp --path="$WP_PATH" db query "SHOW COLUMNS FROM $table" --skip-column-names | awk '{print $1}' | grep -E 'content|value|text')

            for column in $COLUMNS; do
                MATCHES=$(wp --path="$WP_PATH" db query "
                    SELECT COUNT(*) FROM $table
                    WHERE $column LIKE '%$pattern%'
                " --skip-column-names 2>/dev/null || echo "0")

                if [ "$MATCHES" -gt 0 ]; then
                    echo "  Found $MATCHES matches in $table.$column" | tee -a "$REPORT_FILE"

                    # Get sample matches
                    wp --path="$WP_PATH" db query "
                        SELECT * FROM $table
                        WHERE $column LIKE '%$pattern%'
                        LIMIT 3
                    " >> "$REPORT_FILE"
                fi
            done
        fi
    done
    echo "" | tee -a "$REPORT_FILE"
done

echo "Scan completed. Report saved to: $REPORT_FILE"




Plugin and Theme Scanning



Compromised or nulled plugins/themes are common infection sources.



# List all plugins
wp plugin list --fields=name,status,version,update

# Check for plugins from suspicious sources
wp plugin list --status=active --format=json | jq -r '.[] | select(.update == "available") | .name'

# Deactivate all plugins (for diagnosis)
wp plugin deactivate --all

# Reactivate plugins one by one
wp plugin activate plugin-name

# Delete inactive plugins
wp plugin delete $(wp plugin list --status=inactive --field=name)

# Check theme integrity
wp theme list --fields=name,status,version,update

# Switch to default theme
wp theme activate twentytwentyfour

# Delete unused themes
wp theme delete $(wp theme list --status=inactive --field=name)




Scan for malicious code in plugins and themes:



#!/bin/bash
# scan-plugins-themes.sh - Scan for malware in plugins and themes

WP_PATH="/var/www/html"
SCAN_LOG="/var/log/plugin-theme-scan-$(date +%Y%m%d).txt"

echo "=== Scanning Plugins and Themes for Malware ===" | tee "$SCAN_LOG"

# Malicious code patterns
PATTERNS=(
    "eval\s*\("
    "base64_decode"
    "gzinflate"
    "str_rot13"
    "system\s*\("
    "exec\s*\("
    "shell_exec"
    "passthru"
    "preg_replace.*\/e"
    "\$_GET\[.*\]\(.*\)"
    "\$_POST\[.*\]\(.*\)"
)

# Scan plugins
echo "Scanning plugins..." | tee -a "$SCAN_LOG"
for plugin_dir in "$WP_PATH/wp-content/plugins/"*/; do
    PLUGIN_NAME=$(basename "$plugin_dir")
    echo "Checking: $PLUGIN_NAME" | tee -a "$SCAN_LOG"

    for pattern in "${PATTERNS[@]}"; do
        MATCHES=$(grep -r -i -E "$pattern" "$plugin_dir" 2>/dev/null | wc -l)

        if [ "$MATCHES" -gt 0 ]; then
            echo "  WARNING: Found $MATCHES matches for '$pattern'" | tee -a "$SCAN_LOG"
            grep -r -i -n -E "$pattern" "$plugin_dir" | head -5 >> "$SCAN_LOG"
        fi
    done
done

# Scan themes
echo "Scanning themes..." | tee -a "$SCAN_LOG"
for theme_dir in "$WP_PATH/wp-content/themes/"*/; do
    THEME_NAME=$(basename "$theme_dir")
    echo "Checking: $THEME_NAME" | tee -a "$SCAN_LOG"

    for pattern in "${PATTERNS[@]}"; do
        MATCHES=$(grep -r -i -E "$pattern" "$theme_dir" 2>/dev/null | wc -l)

        if [ "$MATCHES" -gt 0 ]; then
            echo "  WARNING: Found $MATCHES matches for '$pattern'" | tee -a "$SCAN_LOG"
            grep -r -i -n -E "$pattern" "$theme_dir" | head -5 >> "$SCAN_LOG"
        fi
    done
done

echo "Scan completed. Results in: $SCAN_LOG"




Removing Malicious Users and Content



Delete unauthorized admin accounts and clean infected content.



# List all administrators
wp user list --role=administrator --format=table

# Delete suspicious user
wp user delete 999 --yes --reassign=1

# Remove spam posts
wp post delete $(wp post list --post_status=spam --format=ids) --force

# Clean spam comments
wp comment delete $(wp comment list --status=spam --format=ids) --force

# Remove posts with malicious content
wp db query "DELETE FROM wp_posts WHERE post_content LIKE '%malicious-pattern%'"

# Clean options table
wp option delete suspicious_option_name

# Remove malicious scheduled tasks
wp cron event delete suspicious_hook




Automated malicious user cleanup:



#!/bin/bash
# cleanup-users.sh - Remove suspicious WordPress users

WP_PATH="/var/www/html"

echo "Scanning for suspicious users..."

# Get all admin users
ADMIN_USERS=$(wp --path="$WP_PATH" user list --role=administrator --format=json)

# Check for users with suspicious characteristics
echo "$ADMIN_USERS" | jq -r '.[] | select(
    .user_login | test("^[0-9]+$|admin[0-9]+|wp[-_]admin|support[0-9]+")
) | .ID' | while read -r user_id; do
    USER_LOGIN=$(wp --path="$WP_PATH" user get $user_id --field=user_login)
    USER_EMAIL=$(wp --path="$WP_PATH" user get $user_id --field=user_email)
    USER_REGISTERED=$(wp --path="$WP_PATH" user get $user_id --field=user_registered)

    echo "Suspicious user found:"
    echo "  ID: $user_id"
    echo "  Login: $USER_LOGIN"
    echo "  Email: $USER_EMAIL"
    echo "  Registered: $USER_REGISTERED"

    # Uncomment to actually delete
    # wp --path="$WP_PATH" user delete $user_id --yes --reassign=1
    # echo "  Deleted"
done

# Check for users with no posts and recently created
echo "Checking for recently created users with no activity..."
wp --path="$WP_PATH" user list --format=json | jq -r '.[] |
    select(.roles | contains(["administrator"])) |
    "\(.ID)\t\(.user_login)\t\(.user_registered)"'




File System Cleanup



Search for and remove malicious files in the WordPress installation.



#!/bin/bash
# filesystem-scan.sh - Scan for suspicious files

WP_PATH="/var/www/html"
SCAN_LOG="/var/log/filesystem-scan-$(date +%Y%m%d).txt"

echo "=== File System Malware Scan ===" | tee "$SCAN_LOG"

# Find recently modified files (last 7 days)
echo "Recently modified files:" | tee -a "$SCAN_LOG"
find "$WP_PATH" -type f -mtime -7 -not -path "*/cache/*" -not -path "*/uploads/*" | tee -a "$SCAN_LOG"

# Find PHP files with suspicious names
echo "Suspicious PHP files:" | tee -a "$SCAN_LOG"
find "$WP_PATH" -type f \( \
    -name "*.php.*" -o \
    -name "*.suspected" -o \
    -name "*.bak.php" -o \
    -name "*eval*.php" -o \
    -name "*base64*.php" -o \
    -iname "wp-config.php.bak" \
\) | tee -a "$SCAN_LOG"

# Find files with suspicious permissions (world-writable)
echo "World-writable files:" | tee -a "$SCAN_LOG"
find "$WP_PATH" -type f -perm -0002 | tee -a "$SCAN_LOG"

# Find hidden PHP files
echo "Hidden PHP files:" | tee -a "$SCAN_LOG"
find "$WP_PATH" -type f -name ".*\.php" | tee -a "$SCAN_LOG"

# Find files owned by wrong user (should be www-data or similar)
echo "Files with incorrect ownership:" | tee -a "$SCAN_LOG"
find "$WP_PATH" -type f ! -user www-data ! -user root | head -20 | tee -a "$SCAN_LOG"

# Search for base64 encoded strings in PHP files
echo "Files containing base64 encoding:" | tee -a "$SCAN_LOG"
grep -r -l "base64_decode" "$WP_PATH"/*.php "$WP_PATH"/wp-includes/*.php "$WP_PATH"/wp-admin/*.php 2>/dev/null | tee -a "$SCAN_LOG"

echo "Scan completed: $SCAN_LOG"




Security Hardening Post-Cleanup



After malware removal, implement security measures to prevent reinfection.



#!/bin/bash
# security-hardening.sh - Harden WordPress after cleanup

WP_PATH="/var/www/html"

echo "Applying security hardening..."

# Update all components
wp --path="$WP_PATH" core update
wp --path="$WP_PATH" plugin update --all
wp --path="$WP_PATH" theme update --all

# Set secure file permissions
find "$WP_PATH" -type d -exec chmod 755 {} \;
find "$WP_PATH" -type f -exec chmod 644 {} \;
chmod 600 "$WP_PATH/wp-config.php"

# Disable file editing
wp --path="$WP_PATH" config set DISALLOW_FILE_EDIT true --raw --type=constant

# Force SSL for admin
wp --path="$WP_PATH" config set FORCE_SSL_ADMIN true --raw --type=constant

# Set security keys
wp --path="$WP_PATH" config shuffle-salts

# Remove inactive plugins and themes
wp --path="$WP_PATH" plugin delete $(wp --path="$WP_PATH" plugin list --status=inactive --field=name)
wp --path="$WP_PATH" theme delete $(wp --path="$WP_PATH" theme list --status=inactive --field=name)

# Disable XML-RPC if not needed
cat >> "$WP_PATH/wp-config.php" << 'EOF'
add_filter('xmlrpc_enabled', '__return_false');
EOF

# Install and configure security plugin
wp --path="$WP_PATH" plugin install wordfence --activate
wp --path="$WP_PATH" option update wordfence_scan_enabled 1

# Change all user passwords
echo "Resetting all user passwords..."
for user_id in $(wp --path="$WP_PATH" user list --field=ID); do
    NEW_PASS=$(openssl rand -base64 16)
    wp --path="$WP_PATH" user update $user_id --user_pass="$NEW_PASS"
    echo "User ID $user_id password reset"
done

# Clean and optimize database
wp --path="$WP_PATH" db optimize

echo "Security hardening completed"




Monitoring and Prevention



Set up monitoring to detect future compromises early.



#!/bin/bash
# monitor-integrity.sh - Monitor WordPress for changes

WP_PATH="/var/www/html"
HASH_FILE="/var/backups/wp-hashes.txt"
ALERT_EMAIL="admin@example.com"

# Create hash database if it doesn't exist
if [ ! -f "$HASH_FILE" ]; then
    echo "Creating initial hash database..."
    find "$WP_PATH" -type f ! -path "*/uploads/*" ! -path "*/cache/*" -exec md5sum {} + > "$HASH_FILE"
    echo "Hash database created"
    exit 0
fi

# Check for changes
TEMP_HASH="/tmp/wp-hashes-temp.txt"
find "$WP_PATH" -type f ! -path "*/uploads/*" ! -path "*/cache/*" -exec md5sum {} + > "$TEMP_HASH"

# Compare hashes
CHANGES=$(diff "$HASH_FILE" "$TEMP_HASH" | grep "^[<>]" | wc -l)

if [ "$CHANGES" -gt 0 ]; then
    echo "WARNING: $CHANGES files have changed"

    # Send alert
    diff "$HASH_FILE" "$TEMP_HASH" | mail -s "WordPress File Changes Detected" "$ALERT_EMAIL"

    # Update hash database
    mv "$TEMP_HASH" "$HASH_FILE"
else
    echo "No changes detected"
    rm "$TEMP_HASH"
fi




Related Links




WordPress Security Documentation



WP-CLI Security Commands



Sucuri Security Guide



Wordfence Security Blog



OWASP WordPress Security

The post WordPress Malware Detection and Cleanup Using WP-CLI appeared first on WP-CLI Mastery.