Automated WordPress security scanning with WP-CLI detects vulnerabilities continuously, monitors file integrity, checks for malware patterns, validates checksums, and alerts on suspicious changes. Run comprehensive security scans daily without manual intervention.

In this guide, you’ll build automated WordPress security monitoring systems using WP-CLI, from basic vulnerability checks to production-grade security automation that protects your sites 24/7.

Why Automate WordPress Security?

Manual WordPress security checks don’t provide continuous protection against evolving threats.

Manual Security Limitations

Infrequent checks: Manual audits happen weekly or monthly, leaving gaps.

Human error: Manual reviews miss subtle security indicators.

Time-consuming: Comprehensive security audits take hours per site.

No real-time alerts: Breaches go undetected until the next manual check.

Limited scope: Can’t check every file, user, and configuration regularly.

Automated Security Benefits

Continuous monitoring: Security checks run automatically every day.

Instant alerts: Get notified immediately when threats are detected.

Comprehensive coverage: Scan every file, plugin, theme, and configuration.

Historical tracking: Log all security events for forensic analysis.

Multi-site management: Monitor dozens of WordPress sites from one system.

According to Sucuri research, automated security monitoring detects breaches 85% faster than manual audits.

Core File Integrity Verification

Detect unauthorized modifications to WordPress core files.

Checksum Verification

#!/bin/bash
# verify-core-integrity.sh

echo "WordPress Core Integrity Check"
echo "==============================="

# Verify core file checksums
if wp core verify-checksums; then
    echo "✓ Core files verified - no modifications detected"
else
    echo "✗ ALERT: Core files modified or corrupted"
    echo "Details:"
    wp core verify-checksums --format=json | jq -r '.[] | "  - \(.)"'

    # Send alert
    echo "Core file integrity check failed on $(hostname)" | \
        mail -s "WordPress Security Alert" admin@example.com
fi

Automated Daily Verification

#!/bin/bash
# daily-integrity-check.sh

LOG_FILE="/var/log/wp-security.log"

log() {
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $@" | tee -a "$LOG_FILE"
}

log "Starting core integrity check"

# Check WordPress core
if ! wp core verify-checksums 2>&1 | tee -a "$LOG_FILE"; then
    log "✗ Core integrity check FAILED"

    # Create detailed report
    {
        echo "WordPress Core Integrity Failure"
        echo "================================="
        echo "Timestamp: $(date)"
        echo "Server: $(hostname)"
        echo "WordPress version: $(wp core version)"
        echo ""
        echo "Modified files:"
        wp core verify-checksums 2>&1 | grep "^Error:"
    } | mail -s "URGENT: WordPress Core Modified" security@example.com

    exit 1
fi

log "✓ Core integrity check passed"

Learn about WordPress file integrity.

Plugin and Theme Vulnerability Detection

Check for known security vulnerabilities in plugins and themes.

WP-CLI Vulnerability Scanner

#!/bin/bash
# scan-vulnerabilities.sh

echo "WordPress Vulnerability Scan"
echo "============================"

# Check if WPScan CLI is available
if ! command -v wpscan &> /dev/null; then
    echo "Installing WPScan..."
    gem install wpscan
fi

# Update WPScan database
wpscan --update

# Scan WordPress installation
SCAN_RESULTS=$(wpscan --url "$(wp option get siteurl)" \
    --format json \
    --random-user-agent \
    --disable-tls-checks)

# Parse vulnerabilities
VULN_COUNT=$(echo "$SCAN_RESULTS" | jq '.plugins | to_entries[] | select(.value.vulnerabilities | length > 0) | .value.vulnerabilities | length' | awk '{s+=$1} END {print s}')

if [ "$VULN_COUNT" -gt 0 ]; then
    echo "✗ ALERT: $VULN_COUNT vulnerabilities detected"

    # Generate detailed report
    echo "$SCAN_RESULTS" | jq -r '.plugins | to_entries[] | select(.value.vulnerabilities | length > 0) | "Plugin: \(.key)\nVulnerabilities:\n\(.value.vulnerabilities[] | "  - \(.title) (Severity: \(.vuln_type))\n    Fixed in: \(.fixed_in // "No fix available")\n")"'

else
    echo "✓ No known vulnerabilities detected"
fi

Check Plugin Updates for Security Fixes

#!/bin/bash
# check-security-updates.sh

echo "Checking for security updates..."

# Get plugins with available updates
UPDATES=$(wp plugin list --update=available --format=json)

if [ "$UPDATES" != "[]" ]; then
    echo "Plugins with available updates:"
    echo "$UPDATES" | jq -r '.[] | "- \(.name) (Current: \(.version), Available: \(.update_version))"'

    # Check update changelogs for security keywords
    echo ""
    echo "Checking changelogs for security mentions..."

    echo "$UPDATES" | jq -r '.[].name' | while read PLUGIN; do
        CHANGELOG=$(wp plugin get "$PLUGIN" --field=update_changelog 2>/dev/null)

        if echo "$CHANGELOG" | grep -qi 'security\|vulnerability\|xss\|sql injection\|exploit'; then
            echo "⚠ SECURITY UPDATE AVAILABLE: $PLUGIN"
            echo "  Update immediately using: wp plugin update $PLUGIN"
        fi
    done
else
    echo "✓ All plugins up to date"
fi

Learn about WordPress security best practices.

File Change Monitoring

Detect unauthorized file modifications.

File Integrity Database

#!/bin/bash
# create-file-baseline.sh - Create baseline of file checksums

BASELINE_FILE="/var/backups/wp-file-baseline.txt"
WP_PATH="/var/www/html"

echo "Creating file integrity baseline..."

cd "$WP_PATH"

# Generate checksums for all WordPress files
find . -type f \
    -not -path "./wp-content/uploads/*" \
    -not -path "./wp-content/cache/*" \
    -not -path "./wp-content/backup/*" \
    -exec md5sum {} \; | sort > "$BASELINE_FILE"

echo "✓ Baseline created: $BASELINE_FILE"
echo "Total files: $(wc -l < $BASELINE_FILE)"

Detect File Changes

#!/bin/bash
# detect-file-changes.sh

BASELINE_FILE="/var/backups/wp-file-baseline.txt"
WP_PATH="/var/www/html"
REPORT_FILE="/tmp/file-changes-$(date +%Y%m%d).txt"

if [ ! -f "$BASELINE_FILE" ]; then
    echo "ERROR: Baseline file not found. Run create-file-baseline.sh first."
    exit 1
fi

echo "Scanning for file changes..."

cd "$WP_PATH"

# Generate current checksums
find . -type f \
    -not -path "./wp-content/uploads/*" \
    -not -path "./wp-content/cache/*" \
    -not -path "./wp-content/backup/*" \
    -exec md5sum {} \; | sort > /tmp/current-checksums.txt

# Compare with baseline
{
    echo "WordPress File Change Report"
    echo "============================="
    echo "Date: $(date)"
    echo ""

    # Modified files
    echo "Modified Files:"
    comm -13 "$BASELINE_FILE" /tmp/current-checksums.txt | awk '{print $2}' | while read file; do
        if grep -q "$file" "$BASELINE_FILE"; then
            echo "  MODIFIED: $file"
        fi
    done

    echo ""

    # New files
    echo "New Files:"
    comm -13 "$BASELINE_FILE" /tmp/current-checksums.txt | awk '{print $2}' | while read file; do
        if ! grep -q "$file" "$BASELINE_FILE"; then
            echo "  ADDED: $file"
        fi
    done

    echo ""

    # Deleted files
    echo "Deleted Files:"
    comm -23 "$BASELINE_FILE" /tmp/current-checksums.txt | awk '{print $2}' | while read file; do
        echo "  DELETED: $file"
    done

} > "$REPORT_FILE"

# Check if changes detected
CHANGE_COUNT=$(cat "$REPORT_FILE" | grep -c "MODIFIED:\|ADDED:\|DELETED:")

if [ "$CHANGE_COUNT" -gt 0 ]; then
    echo "✗ ALERT: $CHANGE_COUNT file changes detected"
    echo "Report: $REPORT_FILE"

    # Email report
    mail -s "WordPress File Changes Detected" admin@example.com < "$REPORT_FILE"
else
    echo "✓ No file changes detected"
fi

# Cleanup
rm /tmp/current-checksums.txt

Malware Pattern Scanning

Detect common malware patterns in WordPress files.

Basic Malware Scanner

#!/bin/bash
# scan-malware.sh - Detect common malware patterns

WP_PATH="/var/www/html"
REPORT_FILE="/tmp/malware-scan-$(date +%Y%m%d).txt"

echo "WordPress Malware Scan"
echo "======================"

# Suspicious patterns to check
declare -a PATTERNS=(
    "eval(base64_decode"
    "eval(gzinflate"
    "eval(str_rot13"
    "system(\$_"
    "shell_exec"
    "passthru"
    "base64_decode.*eval"
    "FilesMan"
    "r57shell"
    "c99shell"
    "WSO shell"
)

{
    echo "Malware Scan Report"
    echo "==================="
    echo "Date: $(date)"
    echo "Path: $WP_PATH"
    echo ""

    for PATTERN in "${PATTERNS[@]}"; do
        echo "Checking for: $PATTERN"

        MATCHES=$(grep -r -l -i "$PATTERN" "$WP_PATH" \
            --exclude-dir=wp-content/uploads \
            --exclude-dir=wp-content/cache \
            --exclude-dir=node_modules \
            --include="*.php" 2>/dev/null)

        if [ ! -z "$MATCHES" ]; then
            echo "✗ SUSPICIOUS: Files matching '$PATTERN':"
            echo "$MATCHES" | while read file; do
                echo "  - $file"
            done
            echo ""
        fi
    done

} > "$REPORT_FILE"

# Check if suspicious files found
SUSPICIOUS_COUNT=$(grep -c "✗ SUSPICIOUS:" "$REPORT_FILE" || echo 0)

if [ "$SUSPICIOUS_COUNT" -gt 0 ]; then
    echo "✗ ALERT: Potential malware detected"
    echo "Report: $REPORT_FILE"

    # Send alert
    mail -s "URGENT: Potential Malware Detected" security@example.com < "$REPORT_FILE"
else
    echo "✓ No malware patterns detected"
fi

Check for Suspicious Files

#!/bin/bash
# check-suspicious-files.sh

WP_PATH="/var/www/html"

echo "Checking for suspicious files..."

# Check for unusual file types in wp-content
echo "Checking for executable files in wp-content..."
find "$WP_PATH/wp-content" \
    -type f \
    \( -name "*.exe" -o -name "*.sh" -o -name "*.bat" \) \
    -print

# Check for PHP files in uploads directory
echo "Checking for PHP files in uploads..."
find "$WP_PATH/wp-content/uploads" -name "*.php" -print

# Check for recently modified files (last 24 hours)
echo "Recently modified PHP files (last 24 hours)..."
find "$WP_PATH" -name "*.php" -mtime -1 -type f -print

# Check for files with suspicious permissions
echo "Files with 777 permissions..."
find "$WP_PATH" -type f -perm 0777 -print

Learn about WordPress malware detection.

User Account Security Auditing

Monitor user accounts for security issues.

User Security Audit

#!/bin/bash
# audit-users.sh

echo "WordPress User Security Audit"
echo "=============================="

# Check for users with admin privileges
echo "Administrator Accounts:"
wp user list --role=administrator --format=table --fields=ID,user_login,user_email,user_registered

ADMIN_COUNT=$(wp user list --role=administrator --format=count)
if [ "$ADMIN_COUNT" -gt 3 ]; then
    echo "⚠ WARNING: $ADMIN_COUNT administrator accounts (recommended: 1-2)"
fi

echo ""

# Check for weak usernames
echo "Checking for common/weak usernames..."
WEAK_USERS=("admin" "administrator" "root" "test" "demo")

for USERNAME in "${WEAK_USERS[@]}"; do
    if wp user get "$USERNAME" &>/dev/null; then
        echo "✗ WARNING: Common username detected: $USERNAME"
        echo "  Recommended: Delete or rename this account"
    fi
done

echo ""

# Check for inactive admin accounts
echo "Inactive Administrator Accounts (no posts/pages):"
wp user list --role=administrator --format=json | \
    jq -r '.[] | select(.posts == "0") | "- \(.user_login) (registered: \(.user_registered))"'

echo ""

# Check user capabilities
echo "Users with 'delete_users' capability:"
wp user list --format=json | \
    jq -r '.[] | select(.roles[] | contains("administrator")) | .user_login'

Password Policy Check

#!/bin/bash
# check-password-policy.sh

echo "Password Policy Check"
echo "===================="

# This requires custom code to check password strength
# WordPress doesn't expose password hashes via WP-CLI for security

# Check for recent password changes
echo "Users who haven't changed password recently:"
# This would require custom user meta tracking

# Check for 2FA status (if plugin installed)
if wp plugin is-installed two-factor; then
    echo "2FA Status:"
    wp user list --format=json | \
        jq -r '.[] | "\(.user_login): \(if .two_factor_enabled then "Enabled" else "DISABLED" end)"'
fi

# List users who can install plugins/themes
echo ""
echo "Users with plugin/theme installation privileges:"
wp user list --role=administrator,editor --format=csv --fields=user_login,roles

Comprehensive Security Report

Generate complete security assessment reports.

Master Security Script

#!/bin/bash
# comprehensive-security-check.sh

REPORT_FILE="/tmp/wordpress-security-report-$(date +%Y%m%d).txt"
LOG_FILE="/var/log/wp-security.log"

log() {
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $@" | tee -a "$LOG_FILE"
}

{
    echo "WordPress Comprehensive Security Report"
    echo "========================================"
    echo "Generated: $(date)"
    echo "Server: $(hostname)"
    echo ""

    # Core integrity
    echo "1. Core File Integrity"
    echo "----------------------"
    if wp core verify-checksums; then
        echo "✓ PASS: Core files verified"
    else
        echo "✗ FAIL: Core file modifications detected"
    fi
    echo ""

    # Plugin security
    echo "2. Plugin Security"
    echo "------------------"
    PLUGIN_UPDATES=$(wp plugin list --update=available --format=count)
    echo "Plugins needing updates: $PLUGIN_UPDATES"

    if [ "$PLUGIN_UPDATES" -eq 0 ]; then
        echo "✓ PASS: All plugins up to date"
    else
        echo "⚠ WARNING: Plugin updates available"
        wp plugin list --update=available --format=table --fields=name,version,update_version
    fi
    echo ""

    # Theme security
    echo "3. Theme Security"
    echo "-----------------"
    THEME_UPDATES=$(wp theme list --update=available --format=count)
    echo "Themes needing updates: $THEME_UPDATES"
    echo ""

    # User accounts
    echo "4. User Account Security"
    echo "------------------------"
    ADMIN_COUNT=$(wp user list --role=administrator --format=count)
    echo "Administrator accounts: $ADMIN_COUNT"

    if [ "$ADMIN_COUNT" -gt 3 ]; then
        echo "⚠ WARNING: Too many administrator accounts"
    else
        echo "✓ PASS: Administrator count acceptable"
    fi
    echo ""

    # SSL/HTTPS check
    echo "5. SSL/HTTPS Configuration"
    echo "--------------------------"
    SITE_URL=$(wp option get siteurl)
    if [[ "$SITE_URL" == https://* ]]; then
        echo "✓ PASS: HTTPS enabled"
    else
        echo "✗ FAIL: Site not using HTTPS"
    fi
    echo ""

    # File permissions
    echo "6. File Permissions"
    echo "-------------------"
    INSECURE_FILES=$(find . -type f -perm 0777 | wc -l)
    echo "Files with 777 permissions: $INSECURE_FILES"

    if [ "$INSECURE_FILES" -eq 0 ]; then
        echo "✓ PASS: No files with overly permissive permissions"
    else
        echo "⚠ WARNING: Insecure file permissions detected"
    fi
    echo ""

    # WordPress version
    echo "7. WordPress Version"
    echo "--------------------"
    CURRENT_VERSION=$(wp core version)
    LATEST_VERSION=$(wp core check-update --format=json | jq -r '.[0].version // empty')

    echo "Current version: $CURRENT_VERSION"
    echo "Latest version: ${LATEST_VERSION:-$CURRENT_VERSION}"

    if [ -z "$LATEST_VERSION" ]; then
        echo "✓ PASS: WordPress is up to date"
    else
        echo "⚠ WARNING: WordPress update available"
    fi

} > "$REPORT_FILE"

log "Security report generated: $REPORT_FILE"

# Email report
mail -s "WordPress Security Report - $(hostname)" admin@example.com < "$REPORT_FILE"

echo "✓ Security report complete: $REPORT_FILE"

Automated Scheduling

Run security scans automatically with cron.

Cron Configuration

# Add to crontab: crontab -e

# Daily core integrity check at 2 AM
0 2 * * * /usr/local/bin/verify-core-integrity.sh >> /var/log/wp-security.log 2>&1

# Daily vulnerability scan at 3 AM
0 3 * * * /usr/local/bin/scan-vulnerabilities.sh >> /var/log/wp-security.log 2>&1

# Daily file change detection at 4 AM
0 4 * * * /usr/local/bin/detect-file-changes.sh >> /var/log/wp-security.log 2>&1

# Weekly comprehensive security report (Mondays at 8 AM)
0 8 * * 1 /usr/local/bin/comprehensive-security-check.sh

# Monthly user audit (first day of month)
0 9 1 * * /usr/local/bin/audit-users.sh | mail -s "Monthly User Audit" admin@example.com

Learn about WordPress security monitoring.

Next Steps

You now have automated WordPress security scanning and monitoring capabilities with WP-CLI.

Recommended Learning Path

Week 1: Core security

• Implement core integrity checks
• Set up vulnerability scanning
• Test alerting systems

Week 2: File monitoring

• Create file baselines
• Configure change detection
• Add malware scanning

Week 3: User security

• Audit user accounts
• Check permissions
• Implement password policies

Week 4: Automation

• Schedule all security checks
• Configure comprehensive reports
• Integrate with monitoring tools

Advanced Topics

1. Intrusion Detection Systems – Advanced threat detection
2. Security Information and Event Management (SIEM) – Centralized security monitoring
3. Automated Incident Response – Automatic threat mitigation

Get More Resources

Download security scripts including:

• Complete scanning system
• Monitoring tools
• Report templates

Join our email course for:

• Weekly WP-CLI tutorials
• Security best practices
• Threat response strategies

Conclusion

Automated WordPress security scanning with WP-CLI provides continuous protection against vulnerabilities, malware, and unauthorized changes—detecting threats before they compromise your sites.

What we covered:

✅ Core file integrity verification
✅ Plugin and theme vulnerability detection
✅ File change monitoring and alerting
✅ Malware pattern scanning
✅ User account security auditing
✅ Comprehensive automated security reports

Implement these security automation systems, and you’ll detect threats immediately—protecting WordPress sites 24/7 without constant manual monitoring.

Ready for more? Learn incident response or WordPress hardening.

Questions about WordPress security automation? Drop a comment below!

Found this helpful? Share with other WordPress administrators.

The post Automate WordPress Security Scanning and Monitoring with WP-CLI appeared first on WP-CLI Mastery.

Understanding WordPress Malware

Malware manifests in various forms: backdoors granting unauthorized access, spam injection contaminating content, redirect scripts hijacking visitors, cryptominers consuming server resources, and data exfiltration code stealing information. Understanding these patterns helps identify and remove infections effectively.

Common infection vectors include vulnerable plugins or themes, weak passwords, compromised hosting environments, and outdated WordPress core. WP-CLI enables systematic scanning and cleanup across all potential infection points.

Initial Assessment and Backup

Before attempting cleanup, assess the infection scope and create comprehensive backups. This ensures you can recover if cleanup causes issues.

#!/bin/bash
# pre-cleanup-assessment.sh - Initial malware assessment

WP_PATH="/var/www/html"
BACKUP_DIR="/backups/malware-cleanup"
TIMESTAMP=$(date +%Y%m%d-%H%M%S)

mkdir -p "$BACKUP_DIR"

echo "=== Pre-Cleanup Assessment ==="

# Create complete backup
echo "Creating backup..."
wp --path="$WP_PATH" db export "$BACKUP_DIR/database-$TIMESTAMP.sql"
tar -czf "$BACKUP_DIR/files-$TIMESTAMP.tar.gz" -C "$(dirname $WP_PATH)" "$(basename $WP_PATH)"

# Get WordPress version
WP_VERSION=$(wp --path="$WP_PATH" core version)
echo "WordPress Version: $WP_VERSION"

# Check for core file modifications
echo "Checking core file integrity..."
wp --path="$WP_PATH" core verify-checksums

# List all users (especially admins)
echo "Admin users:"
wp --path="$WP_PATH" user list --role=administrator --fields=ID,user_login,user_email

# Check for suspicious users
echo "Recently created users:"
wp --path="$WP_PATH" user list --format=json | \
    jq -r '.[] | select(.roles | contains(["administrator"])) | "\(.ID)\t\(.user_login)\t\(.user_registered)"'

# List active plugins
echo "Active plugins:"
wp --path="$WP_PATH" plugin list --status=active --fields=name,version,update

# Check for suspicious scheduled tasks
echo "Scheduled cron events:"
wp --path="$WP_PATH" cron event list --format=table

echo "Assessment completed. Backup saved to: $BACKUP_DIR"

Core File Integrity Verification

WordPress core files rarely need modification. Any changes often indicate compromise.

# Verify core file checksums
wp core verify-checksums

# Get detailed output of modified files
wp core verify-checksums --format=json | jq -r '.[] | select(.status == "modified") | .file'

# Reinstall WordPress core (preserves wp-content and wp-config.php)
wp core download --force --skip-content

# Verify specific file
wp core verify-checksums wp-admin/index.php

Automated core file restoration:

#!/bin/bash
# restore-core-files.sh - Restore modified core files

WP_PATH="/var/www/html"

echo "Checking for modified core files..."

# Get list of modified files
MODIFIED_FILES=$(wp --path="$WP_PATH" core verify-checksums --format=csv | grep -v "^file,status$" | grep "should_not_exist\|not_found\|modified" | cut -d',' -f1)

if [ -z "$MODIFIED_FILES" ]; then
    echo "No modified core files found"
    exit 0
fi

echo "Modified files found:"
echo "$MODIFIED_FILES"

# Backup modified files before restoration
BACKUP_DIR="/backups/core-files-$(date +%Y%m%d-%H%M%S)"
mkdir -p "$BACKUP_DIR"

echo "$MODIFIED_FILES" | while read -r file; do
    if [ -f "$WP_PATH/$file" ]; then
        BACKUP_PATH="$BACKUP_DIR/$(dirname $file)"
        mkdir -p "$BACKUP_PATH"
        cp "$WP_PATH/$file" "$BACKUP_PATH/"
        echo "Backed up: $file"
    fi
done

# Reinstall core
echo "Reinstalling WordPress core..."
wp --path="$WP_PATH" core download --force --skip-content

# Verify restoration
if wp --path="$WP_PATH" core verify-checksums; then
    echo "Core files successfully restored"
else
    echo "Warning: Some core files still show modifications"
fi

Database Scanning and Cleanup

Malware often injects malicious code into the database, particularly in posts, options, and user metadata.

# Search database for common malware patterns
wp db query "SELECT * FROM wp_posts WHERE post_content LIKE '%base64_decode%' OR post_content LIKE '%eval(%' OR post_content LIKE '%gzinflate%'"

# Search options table
wp db query "SELECT * FROM wp_options WHERE option_value LIKE '%eval(%' OR option_value LIKE '%base64_decode%'"

# Find suspicious JavaScript injections
wp db query "SELECT post_id, post_title FROM wp_posts WHERE post_content LIKE '%<script%' AND post_type='post'"

# Check for malicious admin users
wp db query "SELECT * FROM wp_users WHERE user_login LIKE '%admin%' OR user_login REGEXP '^[0-9]+$'"

# Find posts with suspicious meta data
wp db query "SELECT meta_id, post_id, meta_key, meta_value FROM wp_postmeta WHERE meta_value LIKE '%<script%' OR meta_value LIKE '%eval(%'"

Comprehensive database scanning script:

#!/bin/bash
# scan-database.sh - Scan database for malware patterns

WP_PATH="/var/www/html"
REPORT_FILE="/var/log/malware-scan-$(date +%Y%m%d-%H%M%S).txt"

echo "=== WordPress Database Malware Scan ===" | tee "$REPORT_FILE"
echo "Date: $(date)" | tee -a "$REPORT_FILE"
echo "" | tee -a "$REPORT_FILE"

# Malware patterns to search for
PATTERNS=(
    "base64_decode"
    "eval("
    "gzinflate"
    "str_rot13"
    "preg_replace.*\/e"
    "assert("
    "stripslashes"
    "iframe src"
    "script src=.*http"
    "document.write"
)

# Tables to scan
TABLES=(
    "wp_posts"
    "wp_options"
    "wp_postmeta"
    "wp_usermeta"
    "wp_comments"
)

for pattern in "${PATTERNS[@]}"; do
    echo "Searching for pattern: $pattern" | tee -a "$REPORT_FILE"

    for table in "${TABLES[@]}"; do
        COUNT=$(wp --path="$WP_PATH" db query "SELECT COUNT(*) as count FROM $table" --skip-column-names 2>/dev/null)

        if [ "$COUNT" -gt 0 ]; then
            # Get column names for table
            COLUMNS=$(wp --path="$WP_PATH" db query "SHOW COLUMNS FROM $table" --skip-column-names | awk '{print $1}' | grep -E 'content|value|text')

            for column in $COLUMNS; do
                MATCHES=$(wp --path="$WP_PATH" db query "
                    SELECT COUNT(*) FROM $table
                    WHERE $column LIKE '%$pattern%'
                " --skip-column-names 2>/dev/null || echo "0")

                if [ "$MATCHES" -gt 0 ]; then
                    echo "  Found $MATCHES matches in $table.$column" | tee -a "$REPORT_FILE"

                    # Get sample matches
                    wp --path="$WP_PATH" db query "
                        SELECT * FROM $table
                        WHERE $column LIKE '%$pattern%'
                        LIMIT 3
                    " >> "$REPORT_FILE"
                fi
            done
        fi
    done
    echo "" | tee -a "$REPORT_FILE"
done

echo "Scan completed. Report saved to: $REPORT_FILE"

Plugin and Theme Scanning

Compromised or nulled plugins/themes are common infection sources.

# List all plugins
wp plugin list --fields=name,status,version,update

# Check for plugins from suspicious sources
wp plugin list --status=active --format=json | jq -r '.[] | select(.update == "available") | .name'

# Deactivate all plugins (for diagnosis)
wp plugin deactivate --all

# Reactivate plugins one by one
wp plugin activate plugin-name

# Delete inactive plugins
wp plugin delete $(wp plugin list --status=inactive --field=name)

# Check theme integrity
wp theme list --fields=name,status,version,update

# Switch to default theme
wp theme activate twentytwentyfour

# Delete unused themes
wp theme delete $(wp theme list --status=inactive --field=name)

Scan for malicious code in plugins and themes:

#!/bin/bash
# scan-plugins-themes.sh - Scan for malware in plugins and themes

WP_PATH="/var/www/html"
SCAN_LOG="/var/log/plugin-theme-scan-$(date +%Y%m%d).txt"

echo "=== Scanning Plugins and Themes for Malware ===" | tee "$SCAN_LOG"

# Malicious code patterns
PATTERNS=(
    "eval\s*\("
    "base64_decode"
    "gzinflate"
    "str_rot13"
    "system\s*\("
    "exec\s*\("
    "shell_exec"
    "passthru"
    "preg_replace.*\/e"
    "\$_GET\[.*\]\(.*\)"
    "\$_POST\[.*\]\(.*\)"
)

# Scan plugins
echo "Scanning plugins..." | tee -a "$SCAN_LOG"
for plugin_dir in "$WP_PATH/wp-content/plugins/"*/; do
    PLUGIN_NAME=$(basename "$plugin_dir")
    echo "Checking: $PLUGIN_NAME" | tee -a "$SCAN_LOG"

    for pattern in "${PATTERNS[@]}"; do
        MATCHES=$(grep -r -i -E "$pattern" "$plugin_dir" 2>/dev/null | wc -l)

        if [ "$MATCHES" -gt 0 ]; then
            echo "  WARNING: Found $MATCHES matches for '$pattern'" | tee -a "$SCAN_LOG"
            grep -r -i -n -E "$pattern" "$plugin_dir" | head -5 >> "$SCAN_LOG"
        fi
    done
done

# Scan themes
echo "Scanning themes..." | tee -a "$SCAN_LOG"
for theme_dir in "$WP_PATH/wp-content/themes/"*/; do
    THEME_NAME=$(basename "$theme_dir")
    echo "Checking: $THEME_NAME" | tee -a "$SCAN_LOG"

    for pattern in "${PATTERNS[@]}"; do
        MATCHES=$(grep -r -i -E "$pattern" "$theme_dir" 2>/dev/null | wc -l)

        if [ "$MATCHES" -gt 0 ]; then
            echo "  WARNING: Found $MATCHES matches for '$pattern'" | tee -a "$SCAN_LOG"
            grep -r -i -n -E "$pattern" "$theme_dir" | head -5 >> "$SCAN_LOG"
        fi
    done
done

echo "Scan completed. Results in: $SCAN_LOG"

Removing Malicious Users and Content

Delete unauthorized admin accounts and clean infected content.

# List all administrators
wp user list --role=administrator --format=table

# Delete suspicious user
wp user delete 999 --yes --reassign=1

# Remove spam posts
wp post delete $(wp post list --post_status=spam --format=ids) --force

# Clean spam comments
wp comment delete $(wp comment list --status=spam --format=ids) --force

# Remove posts with malicious content
wp db query "DELETE FROM wp_posts WHERE post_content LIKE '%malicious-pattern%'"

# Clean options table
wp option delete suspicious_option_name

# Remove malicious scheduled tasks
wp cron event delete suspicious_hook

Automated malicious user cleanup:

#!/bin/bash
# cleanup-users.sh - Remove suspicious WordPress users

WP_PATH="/var/www/html"

echo "Scanning for suspicious users..."

# Get all admin users
ADMIN_USERS=$(wp --path="$WP_PATH" user list --role=administrator --format=json)

# Check for users with suspicious characteristics
echo "$ADMIN_USERS" | jq -r '.[] | select(
    .user_login | test("^[0-9]+$|admin[0-9]+|wp[-_]admin|support[0-9]+")
) | .ID' | while read -r user_id; do
    USER_LOGIN=$(wp --path="$WP_PATH" user get $user_id --field=user_login)
    USER_EMAIL=$(wp --path="$WP_PATH" user get $user_id --field=user_email)
    USER_REGISTERED=$(wp --path="$WP_PATH" user get $user_id --field=user_registered)

    echo "Suspicious user found:"
    echo "  ID: $user_id"
    echo "  Login: $USER_LOGIN"
    echo "  Email: $USER_EMAIL"
    echo "  Registered: $USER_REGISTERED"

    # Uncomment to actually delete
    # wp --path="$WP_PATH" user delete $user_id --yes --reassign=1
    # echo "  Deleted"
done

# Check for users with no posts and recently created
echo "Checking for recently created users with no activity..."
wp --path="$WP_PATH" user list --format=json | jq -r '.[] |
    select(.roles | contains(["administrator"])) |
    "\(.ID)\t\(.user_login)\t\(.user_registered)"'

File System Cleanup

Search for and remove malicious files in the WordPress installation.

#!/bin/bash
# filesystem-scan.sh - Scan for suspicious files

WP_PATH="/var/www/html"
SCAN_LOG="/var/log/filesystem-scan-$(date +%Y%m%d).txt"

echo "=== File System Malware Scan ===" | tee "$SCAN_LOG"

# Find recently modified files (last 7 days)
echo "Recently modified files:" | tee -a "$SCAN_LOG"
find "$WP_PATH" -type f -mtime -7 -not -path "*/cache/*" -not -path "*/uploads/*" | tee -a "$SCAN_LOG"

# Find PHP files with suspicious names
echo "Suspicious PHP files:" | tee -a "$SCAN_LOG"
find "$WP_PATH" -type f \( \
    -name "*.php.*" -o \
    -name "*.suspected" -o \
    -name "*.bak.php" -o \
    -name "*eval*.php" -o \
    -name "*base64*.php" -o \
    -iname "wp-config.php.bak" \
\) | tee -a "$SCAN_LOG"

# Find files with suspicious permissions (world-writable)
echo "World-writable files:" | tee -a "$SCAN_LOG"
find "$WP_PATH" -type f -perm -0002 | tee -a "$SCAN_LOG"

# Find hidden PHP files
echo "Hidden PHP files:" | tee -a "$SCAN_LOG"
find "$WP_PATH" -type f -name ".*\.php" | tee -a "$SCAN_LOG"

# Find files owned by wrong user (should be www-data or similar)
echo "Files with incorrect ownership:" | tee -a "$SCAN_LOG"
find "$WP_PATH" -type f ! -user www-data ! -user root | head -20 | tee -a "$SCAN_LOG"

# Search for base64 encoded strings in PHP files
echo "Files containing base64 encoding:" | tee -a "$SCAN_LOG"
grep -r -l "base64_decode" "$WP_PATH"/*.php "$WP_PATH"/wp-includes/*.php "$WP_PATH"/wp-admin/*.php 2>/dev/null | tee -a "$SCAN_LOG"

echo "Scan completed: $SCAN_LOG"

Security Hardening Post-Cleanup

After malware removal, implement security measures to prevent reinfection.

#!/bin/bash
# security-hardening.sh - Harden WordPress after cleanup

WP_PATH="/var/www/html"

echo "Applying security hardening..."

# Update all components
wp --path="$WP_PATH" core update
wp --path="$WP_PATH" plugin update --all
wp --path="$WP_PATH" theme update --all

# Set secure file permissions
find "$WP_PATH" -type d -exec chmod 755 {} \;
find "$WP_PATH" -type f -exec chmod 644 {} \;
chmod 600 "$WP_PATH/wp-config.php"

# Disable file editing
wp --path="$WP_PATH" config set DISALLOW_FILE_EDIT true --raw --type=constant

# Force SSL for admin
wp --path="$WP_PATH" config set FORCE_SSL_ADMIN true --raw --type=constant

# Set security keys
wp --path="$WP_PATH" config shuffle-salts

# Remove inactive plugins and themes
wp --path="$WP_PATH" plugin delete $(wp --path="$WP_PATH" plugin list --status=inactive --field=name)
wp --path="$WP_PATH" theme delete $(wp --path="$WP_PATH" theme list --status=inactive --field=name)

# Disable XML-RPC if not needed
cat >> "$WP_PATH/wp-config.php" << 'EOF'
add_filter('xmlrpc_enabled', '__return_false');
EOF

# Install and configure security plugin
wp --path="$WP_PATH" plugin install wordfence --activate
wp --path="$WP_PATH" option update wordfence_scan_enabled 1

# Change all user passwords
echo "Resetting all user passwords..."
for user_id in $(wp --path="$WP_PATH" user list --field=ID); do
    NEW_PASS=$(openssl rand -base64 16)
    wp --path="$WP_PATH" user update $user_id --user_pass="$NEW_PASS"
    echo "User ID $user_id password reset"
done

# Clean and optimize database
wp --path="$WP_PATH" db optimize

echo "Security hardening completed"

Monitoring and Prevention

Set up monitoring to detect future compromises early.

#!/bin/bash
# monitor-integrity.sh - Monitor WordPress for changes

WP_PATH="/var/www/html"
HASH_FILE="/var/backups/wp-hashes.txt"
ALERT_EMAIL="admin@example.com"

# Create hash database if it doesn't exist
if [ ! -f "$HASH_FILE" ]; then
    echo "Creating initial hash database..."
    find "$WP_PATH" -type f ! -path "*/uploads/*" ! -path "*/cache/*" -exec md5sum {} + > "$HASH_FILE"
    echo "Hash database created"
    exit 0
fi

# Check for changes
TEMP_HASH="/tmp/wp-hashes-temp.txt"
find "$WP_PATH" -type f ! -path "*/uploads/*" ! -path "*/cache/*" -exec md5sum {} + > "$TEMP_HASH"

# Compare hashes
CHANGES=$(diff "$HASH_FILE" "$TEMP_HASH" | grep "^[<>]" | wc -l)

if [ "$CHANGES" -gt 0 ]; then
    echo "WARNING: $CHANGES files have changed"

    # Send alert
    diff "$HASH_FILE" "$TEMP_HASH" | mail -s "WordPress File Changes Detected" "$ALERT_EMAIL"

    # Update hash database
    mv "$TEMP_HASH" "$HASH_FILE"
else
    echo "No changes detected"
    rm "$TEMP_HASH"
fi

Related Links

• WordPress Security Documentation
• WP-CLI Security Commands
• Sucuri Security Guide
• Wordfence Security Blog
• OWASP WordPress Security

The post WordPress Malware Detection and Cleanup Using WP-CLI appeared first on WP-CLI Mastery.