I’m a huge fan of the scorched earth clean up for WordPress. By which I mean when I clean up WP, I rip it out, scrub it, and reinstall. This scares the heck out of people sometimes, and if you’re doing it in a GUI, yeah, it can be sucky and time consuming. Me? I do it in 5-10 minutes, depending on if my cat wants to be petted.
I’ve been asked ‘How do you do it that fast?’ so here are my steps for cleaning up WP, with the following assumptions:
- I’m working in the folder where WP is installed
- wp-config.php is in this folder
- WP is in ‘root’ (i.e. I’m not giving WP it’s own folder)
If any of those aren’t true for you, adjust the folder locations in the commands:
Download WP: wget -P ../ http://wordpress.org/latest.zip
Unzip it: unzip -qq -d ../ ../latest.zip
Backup DB: wp db export
Pause. Here I’m using WP CLI, which makes my life way easier. If you’re not, you’ll need something like this: mysqldump --opt --user=username --password=password --host=yourMySQLHostname dbname > domain_com.sql
Zip up the files I want to backup: zip -r ../domain.zip *.sql wp-config.php .htaccess wp-content/
Set glob. Glob is scary, I know, but read about glob before you dismiss it (if you’re on korn, you can usually skip this): shopt -s extglob
Delete files: rm -rf !(wp-config.php|wp-content)
Pause. At this point, It’s probably wise to consider that my hack may be in my theme and/or plugin. If so, I want to nuke them and JUST keep my uploaded files, so I use this instead…
Delete files: rm -rf !(wp-config.php|wp-content) wp-content/!(uploads|blogs.dir)
Pause again. No matter what, want to scan for evil files, but this way I do it over a much smaller group of files. Either way, though, I do want to scan the folder for evil, because leaving behind hacks in themes and plugins is really common. Also it’s a good idea to delete every plugin you don’t use, and theme as well. Since you really can’t delete all themes but one on a Multisite, this gets harder. Generally I don’t delete the themes automatically, but instead go in and nuke them one at a time, so I run this…
Delete files: rm -rf !(wp-config.php|wp-content) wp-content/!(uploads|blogs.dir|themes|mu-plugins)
Now we can move on, knowing our personal files are clean.
Copy it back: cp -r ../wordpress/* .
Clean it up: rm -rf ../wordpress ../latest.zip
And now you’re done! When you want to reinstall plugins and themes, I do via wp-cli because it’s faster: wp plugin install NAME
and wp theme install NAME
Then I activate as needed and I’m off to the races. If I deleted my mu-plugins, I copy those back from my backup zip, one at a time, checking each file for hacks.
The best thing about this is you can apply the logic to any CMS out there. Just know what you have to delete and keep. The downside? It doesn’t touch your database. Rarely is this an issue for me, except in the case of the Pharma hack. I’ve not had a DB infected yet.
Do you have a solid methodology for cleaning it up?
Comments
5 responses to “Command Line Cleaning WP”
Pure awesomesauce, you badass!
Well when I backup I use mysqldump, bash, zip… reads post again
Seriously? That’s it? OK I’m sold. I’ll install wp-cli tonight. π
@Jan Dembowski: Seriously, that’s it. It doesn’t zip it, but y’know I’m not trying to do anything for massive hoops and a series of compressed, restorable, backups. I’m trying to make a right-now backup π
Love the reference to Firefly ? Serenity? π
@Glenn: Browncoats never forget. πΏ