Top 10 SSH commands for your hacked WordPress website

Introduction

WordPress websites are often infected with malware, if they do not have the right security.

I had to work on many hacked WP websites to remove the malicious code. Hackers user a lot of methods like SQL injection, breaking into Wp admin area etc.

When there is only one website hosted on a server, things are easier. But when there are many websites hosted and they are all infected with malware, things can get so ugly.

The SSH commands I will show you will pretty useful when multiple sites on a server get infected. These alone will never guarantee you that you will get rid of the malicious code. You need to do other things before that.

What to do when your WordPress website is hacked?

There are some very important things to do when this happens to you:

  1. Change tour FTP passwords.
  2. Change databases passwords.
  3. Check WP databases for users which should not exist there. JUst be sure you do not have any "admin" user and you should change that to something else.
  4. Use some WP plugins to scan your website files and delete or repair all infected files.

The above are just a few really important things which you need to do.

If you use Putty for your SSH, the below commands will be really useful to you.

The best SSH commands to fight against WP malware

First of all you need to go to your website folder where all websites are hosted on FTP. You need to login via SSH with Putty and then, if you main folder is domains or public_html just add this:

cd domains

or

cd public_html

1. Find all files on server having a certain extension

I worked on an infected server which had many websites hosted on it and some file having an ".ico" extension were added regularly. These were all malicious files containing malware code.

So I've come up with a SSH command to list those files with ".ico" extension:

find . -type f -name "*.ico"

2. Delete all files on server having a certain extension

After I have listed those files, and there will be also favicon.ico files, we need to delete them all ( yes, this will delete the favico.icon files, but just save them on your computer and you can add those back):

find . -mindepth 1 -iname "*.ico" -type f -delete

3. List all files modified in the last 24 hours

After you cleaned everything on your website and notice that malicious files are still added, the below command will be useful to see which files were modified and see where's the problem:

find .  -mtime -1 -ls

Just in case the the attack is aggresive, you can also list the files which were modified in the last hour:

find .  -mmin -60 -ls

4. List all files which were added in the last 24 hours

find . -ctime -1 -ls

If you need to know the files which were added in the last hour, just add this:

find . -cmin -60 -ls

5. Delete all files which contain a certain string

Many of the malicious files which are added by hackers contain some weird variables like: "vlojin", "ampqw", "ftzxuy" etc.

To delete all files which contain such strings in them just use this:

find . -name "*.php" -exec grep -l "vlojin" {} \; | xargs rm

But be careful, because some pieces of code which use these variables is injected into WP core files, or theme files, or plugin files. So you need to be sure that the files you delete are only files which contain only malicious code.

Ideally, instead of adding the string exactly as it is, would be great to use a regex. But the problem is that when I added such regex to the code it never worked. Probably because some hosting settings.

6. Find the lines which contain a certain string in all index.php files and delete them

One thing I noticed was that when websites were hacked, in many cases, some malicious code was added to index.php files on website root. That malware code was something like: "@include \adg3\dgh5l\ ...".

When you have many websites hacked on the same server, there is a nice command you can use to delete that line which has that "@include..." code in all index.php files:

find ./ -name index.php -exec sed -i '/include/d' {} \; 

Not to mention that malware code is also added to wp-config.php files or wp-settings.php files.

7. Delete the malware files that have a certain name

Another thing I've noticed was that there were, on all server, many malware files which had the same name. Like "leaf.php", "or.php" etc.

There is one SSH command which you can use to delete all files with a certain name on all websites on the server:

find . -name "leaf.php" -exec rm -rf {} \;

8. Change database password in all wp-config.php files

If you have your website on a MT Grid Server all databases have the same password. If your WordPress website was hacked you need to change the password in all wp-config.php files, after you change it in your hosting account.

There is a very useful command to use in order to change password in all wp-config.php files:

find ./ -name wp-config.php -exec sed -i 's/oldpassword/newpassword' {} \;

9. Delete all files inside a website folder

If you have a .zip backup of the entire website and want to delete all what's inside the website folder you need this command:

rm -rf /path/to/website/root

10. Unzip a backup file to restore a website instantly

Just go to the folder where you have your backup .zip file stored and add this command:

unzip myfiles.zip -d /path/to/website/root

Conclusion

Getting your WP website hacked is not good. But there are solutions to get rid of this problem. I hope that the above SSH commands will help you fight against all these malicious attacks.

Comments closed

Please contact me, if you have any questions or suggestions.