How To

Command Line Cleaning WP

Burn the land and boil the seas, I use CLIs to clean WP. My heavy handed, command line methodology to scrubbing the heck out of a WordPress install when I clean.

Blob-Town-The-Blob-1958-Documentary-@-Phoenixville-Pennsylvania-by-James-RolfeI’m a huge fan of the scorched earth clean up for WordPress. By which I mean when I clean up WP, I rip it out, scrub it, and reinstall. This scares the heck out of people sometimes, and if you’re doing it in a GUI, yeah, it can be sucky and time consuming. Me? I do it in 5-10 minutes, depending on if my cat wants to be petted.

I’ve been asked ‘How do you do it that fast?’ so here are my steps for cleaning up WP, with the following assumptions:

  1. I’m working in the folder where WP is installed
  2. wp-config.php is in this folder
  3. WP is in ‘root’ (i.e. I’m not giving WP it’s own folder)

If any of those aren’t true for you, adjust the folder locations in the commands:

Download WP: wget -P ../

Unzip it: unzip -qq -d ../ ../

Backup DB: wp db export

Pause. Here I’m using WP CLI, which makes my life way easier. If you’re not, you’ll need something like this: mysqldump --opt --user=username --password=password --host=yourMySQLHostname dbname > domain_com.sql

Zip up the files I want to backup: zip -r ../ *.sql wp-config.php .htaccess wp-content/

Set glob. Glob is scary, I know, but read about glob before you dismiss it (if you’re on korn, you can usually skip this): shopt -s extglob

Delete files: rm -rf !(wp-config.php|wp-content)

Pause. At this point, It’s probably wise to consider that my hack may be in my theme and/or plugin. If so, I want to nuke them and JUST keep my uploaded files, so I use this instead…

Delete files: rm -rf !(wp-config.php|wp-content) wp-content/!(uploads|blogs.dir)

Pause again. No matter what, want to scan for evil files, but this way I do it over a much smaller group of files. Either way, though, I do want to scan the folder for evil, because leaving behind hacks in themes and plugins is really common. Also it’s a good idea to delete every plugin you don’t use, and theme as well. Since you really can’t delete all themes but one on a Multisite, this gets harder. Generally I don’t delete the themes automatically, but instead go in and nuke them one at a time, so I run this…

Delete files: rm -rf !(wp-config.php|wp-content) wp-content/!(uploads|blogs.dir|themes|mu-plugins)

Now we can move on, knowing our personal files are clean.

Copy it back: cp -r ../wordpress/* .

Clean it up: rm -rf ../wordpress ../

And now you’re done! When you want to reinstall plugins and themes, I do via wp-cli because it’s faster: wp plugin install NAME and wp theme install NAME

Then I activate as needed and I’m off to the races. If I deleted my mu-plugins, I copy those back from my backup zip, one at a time, checking each file for hacks.

The best thing about this is you can apply the logic to any CMS out there. Just know what you have to delete and keep. The downside? It doesn’t touch your database. Rarely is this an issue for me, except in the case of the Pharma hack. I’ve not had a DB infected yet.

Do you have a solid methodology for cleaning it up?

5 replies on “Command Line Cleaning WP”

Comments are closed.