-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathwp-fix-hacked.sh
More file actions
67 lines (56 loc) · 2.07 KB
/
wp-fix-hacked.sh
File metadata and controls
67 lines (56 loc) · 2.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/usr/bin/env bash
set -euo pipefail
# ----------------------
# wp-fix-hacked.sh
# ----------------------
# Usage: cd /path/to/wp-install && bash wp-fix-hacked.sh
# Or: bash wp-fix-hacked.sh /path/to/wp-install
# Default: current directory
# ----------------------
# Determine target directory
if [ $# -gt 0 ]; then
ROOT_DIR="$1"
else
ROOT_DIR="$(pwd)"
fi
# Ensure we’re in a WP install
test -f "$ROOT_DIR/wp-config.php" || {
echo "⚠️ No wp-config.php found in $ROOT_DIR. Please run this from a WordPress install directory."
exit 1
}
# ----------------------
# Identify WordPress owner
# ----------------------
WP_OWNER="$(stat -c '%U' "$ROOT_DIR/wp-config.php")"
WP_GROUP="$(stat -c '%G' "$ROOT_DIR/wp-config.php")"
USER="$WP_OWNER"
echo "🛑 Stopping most processes for user '$USER' (excluding this script)..."
# Kill all user processes except this script
for pid in $(pgrep -u "$USER"); do
if [ "$pid" != "$$" ]; then
kill "$pid" 2>/dev/null || true
fi
done
echo "📂 Cleaning WordPress install at: $ROOT_DIR"
# todo: not safe need more work
# # 1. Delete everything except wp-config.php & wp-content/
# find "$ROOT_DIR" -mindepth 1 \
# ! -path "$ROOT_DIR/wp-config.php" \
# ! -path "$ROOT_DIR/wp-content/*" \
# -exec rm -rf {} +
# 2. Remove ELF binaries
echo " • Removing ELF binaries..."
find "$ROOT_DIR" -type f -exec sh -c \
'file "$1" | grep -q ELF && echo " ↳ Deleting $1" && rm -f "$1"' sh {} \;
# 3. Flag suspicious PHP code
echo " • Checking for eval() injections:"
grep -iR --include="*.php" "eval(" "$ROOT_DIR" || echo " (none found)"
echo " • Checking for base64_decode() use:"
grep -iR --include="*.php" "base64_decode(" "$ROOT_DIR" || echo " (none found)"
echo " → Manually inspect any hits and remove malicious code."
# 4. Reinstall WP core
echo " • Re-downloading WordPress core..."
sudo -u "$USER" wp core download --path="$ROOT_DIR" --skip-content --force && \
echo " ✔ Core reinstalled successfully."
echo -e "
✅ Done! Review grep hits above, then secure your site (update credentials, plugins, themes)."