Useful Tools that May Help Determine and Fix Hacked WordPress Installations

WordPress sites can be compromised in many ways — common symptoms include injected redirects, hidden iframes, and obfuscated PHP code scattered across site files.

This article is not a step-by-step remediation guide. It is a reference list of tools that may help, either used as-is or adapted to fit the specific infection. For usage details, refer to each tool’s original documentation.

Tools

Sucuri wordpress-fix.php

Targets a specific base64-encoded eval injection that typically looks like this inside affected PHP files:

<?php /**/ eval(base64_decode("aWY...

The script uses two sequential commands wrapped in PHP shell execution to clean affected files:

Command 1 — Remove the malicious code

find $dir -name "*.php" -type f | xargs sed -i 's#<?php /**/ eval(base64_decode("aWY.*?>##g'

Recursively locates every PHP file and strips everything matching the malware signature — from the opening <?php /**/ through the closing ?>. The string aWY is the beginning of a specific base64-encoded payload associated with this infection.

Command 2 — Clean up empty lines left behind

find $dir -name "*.php" -type f | xargs sed -i '/./,$!d'

Runs through every PHP file again and removes leading blank lines left behind after the malicious code is stripped.

The PHP backtick operators wrapping each command are shell execution syntax — equivalent to shell_exec(). This allows the script to run both bash commands on the server without requiring direct terminal access. Upload to the web root and run from the browser.

Originally published by Sucuri; now available via Stack Overflow.

Hidden iframe injection scanner

Scans all site files for a string of your choice and reports which files contain it. Does not repair files. Simple and useful for quickly identifying the scope of an infection before remediation.

Usage: http://www.yourdomain.com/clean.php?stringofchoice

clrvir

A PHP CLI script for Linux shell accounts. Scans and cleans infected web files directly from the command line. Requires shell access.

Gumblar family removal tool

Targets the Gumblar family of infections specifically.

Text Search Replace

Recursively scans a directory for files matching specified extensions, searches for a regex pattern, and optionally replaces all matches with new text. Generates a log of all search and replacement activity. Useful for surgical removal once the malicious string has been identified.

Some of these require shell or terminal access. Others can be run via the browser. Whatever the case, remediation should always be followed by a full audit of how the compromise occurred — cleaning infected files without closing the entry point will result in reinfection.