Useful Tools that May Help Determine and Fix Hacked WordPress Installations


For one reason or another, your WordPress site may get hacked. Code may be attached to various files throughout the site that could do a wide range of things including site redirection. There are many different types of hacks, however, there are several tools and commands that may prove useful for remediation. If these tools do not re-mediate, then these could serve as a basic framework for customization to fit the current need.

The purpose of this article is identify alternative tools that could assist in infection remediation, not necessarily describe how to use them. The original sites will serve better in that arena.

Here are those tools:

  • created a tool called wordpress-fix.php to clean a specific type of infection that would look something like this.
    Although the tool is no longer available from their site, here it is found at
Site clean up by <a href=""></a><br />
This script will clean the malware from this attack:
<a href=""></a>
<br /><br />
If you need help, contact or visit us at <a href=""></a>
<br /><br />

$dir = "./";
$rmcode = `find $dir -name "*.php" -type f |xargs sed -i 's#<?php /\*\*/ eval(base64_decode("aWY.*?>##g' 2>&1`;
echo "Malware removed.<br />\n";
$emptyline = `find $dir -name "*.php" -type f | xargs sed -i '/./,$!d' 2>&1`;
echo "Empty lines removed.<br />\n";

<br />
  • Hidden iframe injection attacks. – This site offers a script that will scan your site for a specific string to determine what files contain that string. It does not repair the files. This is quite useful. Usage:
  • clrvir – The web virus cleaning utility is a PHP command line interface (CLI) web-virus cleaning script for Linux operating systems to be used on shell accounts with infected websites.
  • Gumblar-family virus removal tool.
  • Text Search Replace. This class can be used to search the content of certain files and replace with different information. It can browse a given directory recursively and open files that match certain file name extensions. The files are read to search for a given regular expression text. Optionally it may replace all the occurrences with a new text and the files are updated. The log is generated to record the search and replacement activity.
  • One or more of these scripts may prove handy either in their current form or modified to fit your needs. Some of these require special access to your server or terminal access. Others do not. Whatever the case may be, these are certainly great resources that may aid in the understanding of how the site may have been compromised to the identification of the compromise to remediation.