{"id":51629967,"url":"https://github.com/adityaarsharma/wordpress-malware-removal","last_synced_at":"2026-07-13T06:30:20.371Z","repository":{"id":368788311,"uuid":"1286823079","full_name":"adityaarsharma/wordpress-malware-removal","owner":"adityaarsharma","description":"AI-powered WordPress malware removal \u0026 deep scanner (Claude Code / MCP skill). Finds SEO-spam cloaking, the Japanese keyword hack, redirect malware, web-shells, backdoors \u0026 database injections that Wordfence/MalCare/Sucuri miss. Quarantine-first, no false positives.","archived":false,"fork":false,"pushed_at":"2026-07-02T07:30:59.000Z","size":122,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-07-02T08:24:03.033Z","etag":null,"topics":["claude","claude-code","incident-response","japanese-keyword-hack","malware-detection","malware-removal","malware-scanner","mcp","php","security-tools","seo-spam","website-security","wordpress","wordpress-plugin","wordpress-security"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/adityaarsharma.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-07-02T06:08:53.000Z","updated_at":"2026-07-02T07:31:03.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/adityaarsharma/wordpress-malware-removal","commit_stats":null,"previous_names":["adityaarsharma/wordpress-malware-removal"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/adityaarsharma/wordpress-malware-removal","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adityaarsharma%2Fwordpress-malware-removal","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adityaarsharma%2Fwordpress-malware-removal/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adityaarsharma%2Fwordpress-malware-removal/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adityaarsharma%2Fwordpress-malware-removal/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/adityaarsharma","download_url":"https://codeload.github.com/adityaarsharma/wordpress-malware-removal/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adityaarsharma%2Fwordpress-malware-removal/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35413537,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-13T02:00:06.543Z","response_time":119,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["claude","claude-code","incident-response","japanese-keyword-hack","malware-detection","malware-removal","malware-scanner","mcp","php","security-tools","seo-spam","website-security","wordpress","wordpress-plugin","wordpress-security"],"created_at":"2026-07-13T06:30:19.692Z","updated_at":"2026-07-13T06:30:20.361Z","avatar_url":"https://github.com/adityaarsharma.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# WordPress Malware Removal\n\n### Audit, clean, and harden a WordPress site — end to end, with an AI agent.\n\n[![CI](https://github.com/adityaarsharma/wordpress-malware-removal/actions/workflows/ci.yml/badge.svg)](https://github.com/adityaarsharma/wordpress-malware-removal/actions/workflows/ci.yml)\n[![License: AGPL v3](https://img.shields.io/badge/license-AGPL--3.0-blue.svg)](LICENSE)\n[![Runs with AI agents (MCP)](https://img.shields.io/badge/runs%20with-AI%20agents%20%2F%20MCP-8A2BE2.svg)](#works-with-your-ai-agent)\n[![Python](https://img.shields.io/badge/python-3.8%2B-3776AB.svg)](#standalone-scripts)\n[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](#contributing)\n[![Stars](https://img.shields.io/github/stars/adityaarsharma/wordpress-malware-removal?style=social)](https://github.com/adityaarsharma/wordpress-malware-removal/stargazers)\n\nThree things every WordPress owner needs, in one open-source tool:\n\n- **Audit** — how hackable is your site *right now*? A read-only security posture score (vulnerable plugins, exposure, code risk, hardening state) with a ranked fix list.\n- **Remove** — if it's already hacked, clean it — including the **hidden** stuff scanners miss (cloaking, web-root backdoors, database injections), safely, and find out how they got in.\n- **Harden** — lock the doors so it doesn't happen again (2FA, permissions, REST/XML-RPC, and more) — applied safely, reversible.\n\nIt looks at your site the way **Google and an attacker** do — not just the way a browser does — cleans **safely** (it won't touch a thing until *you've* taken a backup, nothing deleted blind, auto-rollback if a change breaks the site), and always tells you **how they got in**.\n\n**Free · open-source (AGPL-3.0) · runs with any AI coding agent — Claude Code, Cursor, Codex, or any MCP client.**\n\n\u003c/div\u003e\n\n---\n\n## Install (30 seconds)\n\n```bash\ngit clone https://github.com/adityaarsharma/wordpress-malware-removal.git\ncd wordpress-malware-removal\n./install.sh                 # installs all three skills into ~/.claude/skills\n```\n\nOptions: `./install.sh --dir PATH` (custom skills dir for Codex/Cursor/other), `--skill wp-hardening`\n(install one), `--list` (preview), `--uninstall`. Re-run any time to update. Helper scripts need Python\n3.8+ and have **zero third-party dependencies**.\n\nThis installs **three self-contained, gateway-agnostic skills** — each runs over any SSH+WP-CLI or any\nWordPress MCP (SproutOS recommended):\n\n| Skill | Ask it | What it does |\n|---|---|---|\n| **wp-security-audit** | \"How hackable is this site?\" | Read-only A–F posture score: vulns + code + exposure + ranked fixes. Touches nothing. |\n| **wp-malware-removal** | \"This site is hacked — clean it\" | 12-layer forensic scan → verify → quarantine-first removal → prove clean → entry vector. |\n| **wp-hardening** | \"Lock the doors\" | Idempotent, reversible hardening — auto-applies safe fixes, asks before risky ones. |\n\n---\n\n## Table of contents\n\n- [Install](#install-30-seconds)\n- [What it does](#what-it-does)\n- [Works with your AI agent](#works-with-your-ai-agent)\n- [How it compares](#how-it-compares)\n- [How to use it](#how-to-use-it)\n- [Keeping it updated](#keeping-it-updated)\n- [How it works (the 12-layer scan)](#how-it-works)\n- [Connecting your site (gateways)](#connecting-your-site)\n- [What it detects (38 families)](#what-it-detects)\n- [Standalone scripts](#standalone-scripts)\n- [How it cleans safely](#how-it-cleans-safely)\n- [Documentation](#documentation)\n- [FAQ](#faq)\n- [A real example](#a-real-example)\n- [Contributing](#contributing)\n- [License](#license)\n\n---\n\n## What it does — three modes\n\n| Mode | When | What it does |\n|---|---|---|\n| **Audit** | \"Am I safe?\" | Read-only posture check → an **A–F score** + ranked fixes. Cross-checks your plugins/themes against **known vulnerabilities**, tests **exposure** (REST user-leaks, XML-RPC, public `debug.log`, security headers…), audits **risky code**, and reports **hardening state**. Weighted so credential hygiene (**2FA**) counts most — stolen logins are the #1 real breach vector. |\n| **Remove** | \"I'm hacked\" | Deep-cleans malware — including the **hidden** stuff scanners miss: SEO-spam **cloaking**, the **Japanese keyword hack**, redirect malware, web-shells, and backdoors. Backs up first, **quarantines instead of deleting**, auto-rolls-back if a change breaks the site, and reconstructs **how the attacker got in**. |\n| **Harden** | \"Lock it down\" | Applies hardening **safely** — the reversible, low-risk fixes automatically (file permissions, disable file editing, security headers, block PHP in uploads), and **asks before** anything that could break a plugin (XML-RPC off, REST restriction, 2FA enforcement). |\n\nNot sure which you need? Run **Audit** first — it tells you whether to Remove, Harden, or relax.\n\n---\n\n## Works with your AI agent\n\nNot just Claude. This is designed to be **agent-agnostic**:\n\n- **The Python scripts run on their own** — no AI needed. Scan, detect cloaking, verify core integrity, and check vulnerabilities straight from your terminal.\n- **The cleanup methodology works with any capable AI coding agent** — Claude Code, Cursor, Codex, or anything that can read a project and run commands. Point your agent at this repo and ask it to scan or clean.\n- **It connects to your site over MCP** (an open standard) or SSH — so any MCP-compatible client can drive it. [SproutOS](https://github.com/posimyth/sproutos) is the recommended gateway (no SSH needed).\n- **Claude Code gets the tightest fit** — it loads this as a native skill, so a plain \"scan my site\" just works.\n\nOne tool, your choice of agent. Nothing here is locked to a single vendor.\n\n---\n\n## How it compares\n\nThese are all good tools that do different things. The table describes each one's **publicly documented approach** — it's a comparison of design, not a claim that any product is better or worse. Run this **alongside** your existing security plugin; a second, independent look never hurts.\n\n| | Manual cleaning | Wordfence | MalCare | Sucuri | This tool |\n|---|---|---|---|---|---|\n| **What it is** | Do-it-yourself | Security plugin | Plugin + cloud | Plugin + remote service | AI agent / Claude skill |\n| **Where it works** | You, on the server | Inside WordPress | Synced copy on its cloud | Remote scan + cloud firewall | Over a connection or SSH — whole server |\n| **How it finds malware** | Your own inspection | Signature matching | Behavioral signals | Signatures + remote checks | Reads each file in context |\n| **Looks at** | Wherever you look | WordPress files \u0026amp; DB | WordPress files \u0026amp; DB | Public pages + files (with agent) | Whole server, DB, logs, users |\n| **Checks pages as Googlebot** \u003cbr\u003e\u003csub\u003e(spam shown only to Google)\u003c/sub\u003e | Only if you know to | Scans files, not a crawler fetch | Scans files on its cloud | Remote scanner reads public pages | Yes — as Googlebot \u0026amp; at the origin |\n| **Scans outside `wp-content`** | If you check there | WordPress-focused | WordPress-focused | Public URLs; server scan via agent | Yes — web root and above |\n| **Explains how the site was hacked** | Only if you dig through logs | Live traffic / login logging | Activity-log add-on | Post-hack analysis (paid) | Built-in log forensics + free vuln check |\n| **Reduces false alarms** | Depends on your skill | Pattern rules | Signal scoring | Signature rules | Reads each file before flagging |\n| **Risk of breaking the site** | High — easy to delete the wrong file | Low–medium | Low | Low | Low — backup, quarantine, auto-rollback |\n| **Skill required** | High | Low | Low | Low | Low — the AI drives it |\n| **Undo / rollback** | Your own backups | Manual restore | Restore from backup | Restore from backup | Quarantine + automatic rollback |\n| **Open source** | n/a | Free plugin is GPL | Plugin GPL; engine proprietary | Plugin GPL; platform proprietary | Fully open (AGPL-3.0) |\n| **Price** | Your time | Freemium | Freemium | Paid platform (free remote scan) | Free |\n\n\u003csub\u003eComparison of each option's \u003cb\u003epublicly documented approach\u003c/b\u003e as of 2026, for orientation only — not a claim that any product is better or worse, and features change often, so please check current versions. Product names are trademarks of their respective owners. These tools are complementary; running an independent second scan is always sensible.\u003c/sub\u003e\n\n**What this tool adds on top:** it checks your pages **as a search engine** (to catch spam shown only to Google), scans **outside** `wp-content` (web root and above), removes threats **quarantine-first** with an automatic health check, and explains **how the site was hacked**.\n\n---\n\n## How to use it\n\n**Step 1 — Get it.**\n\n```bash\ngit clone https://github.com/adityaarsharma/wordpress-malware-removal.git\n```\n\n**Step 2 — Point your agent at it.**\n\n- **Claude Code** (native skill): `ln -s \"$(pwd)/wordpress-malware-removal\" ~/.claude/skills/wordpress-malware-removal`\n- **Cursor / Codex / other agents**: open the folder in your agent and tell it to follow `SKILL.md`.\n- **No agent**: run the [scripts](#standalone-scripts) directly.\n\n**Step 3 — Connect your site** (see [gateways](#connecting-your-site)) — SproutOS (no SSH) or SSH.\n\n**Step 4 — Just ask** (or run the scripts):\n\n\u003e *\"Scan example.com for malware\"*\n\u003e *\"My site shows gambling spam in Google — clean it\"*\n\u003e *\"Remove the Japanese keyword hack\"*\n\u003e *\"How was this site hacked?\"*\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eOptional: find the entry point with the free Wordfence vulnerability feed\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\nThe free [Wordfence Intelligence](https://www.wordfence.com/threat-intel/) feed (free account, no usage cap, commercial use allowed) lets the tool cross-check your installed plugins/themes against known vulnerabilities to find the likely way in.\n\n```bash\nexport WORDFENCE_API_KEY=your_free_key\n```\n\nThis is optional — the core malware detection works without it. Setup details: [references/wordfence-integration.md](references/wordfence-integration.md).\n\n\u003c/details\u003e\n\n---\n\n## Keeping it updated\n\nNew malware appears constantly, so the detection is built to grow.\n\n- **Update the tool:** `git pull` — you get the latest detection patterns and fixes.\n- **Vulnerability data updates itself:** the Wordfence feed refreshes automatically (force it with `python3 scripts/wordfence_client.py --refresh`).\n- **Add your own patterns:** the signature list ([`scripts/signatures.json`](scripts/signatures.json)) is easy to extend, and a built-in test corpus + CI make sure a new pattern catches real malware without flagging clean code. Full guide: [references/growing-the-database.md](references/growing-the-database.md).\n\nContributions welcome — [open a PR or an issue](#contributing).\n\n---\n\n## How it works\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eThe 12-layer forensic scan\u003c/b\u003e — click to expand\u003c/summary\u003e\n\n\u003cbr\u003e\n\nEvery scan runs these layers (each degrades gracefully to the access you actually have). Full commands per layer: [references/detection-playbook.md](references/detection-playbook.md).\n\n| # | Layer | What it checks |\n|---|---|---|\n| 1 | **External cloaking** | Fetches pages as Googlebot vs a browser (and at the origin behind your CDN) to catch spam shown only to search engines |\n| 2 | **Web-root sweep** | Files/folders outside `wp-content` — where a lot of malware hides |\n| 3 | **Core integrity** | Modified or extra WordPress core files |\n| 4 | **Plugin/theme integrity** | Nulled/hidden plugins, injected code, fake plugins, unauthenticated REST routes |\n| 5 | **Uploads** | Executable PHP where it shouldn't be |\n| 6 | **mu-plugins \u0026amp; drop-ins** | `db.php`, `object-cache.php`, must-use plugins that load on every request |\n| 7 | **Web-shells \u0026amp; backdoors** | File managers and tiny auto-login backdoors |\n| 8 | **Obfuscation** | `eval(base64…)`, packed/encoded code |\n| 9 | **Database** | Injection in posts, options, users, redirects, and log tables |\n| 10 | **Persistence** | Cron, `.htaccess`, PHP prepend, stream-wrappers, server-level backdoors |\n| 11 | **Users \u0026amp; sessions** | Unexpected admins, rogue application passwords |\n| 12 | **Log forensics** | Reconstructs the attack timeline and finds the entry point + attacker IP |\n\nFlow:\n\n```\nScan (12 layers) -\u003e verify each finding in context (reduce false alarms) -\u003e back up -\u003e\nquarantine -\u003e health-check + rollback -\u003e re-check as Googlebot -\u003e harden -\u003e report\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eHow it decides what's malware (the no-false-alarm step)\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\nIt never deletes on a pattern match alone. For every suspicious item it:\n\n1. **Reads the actual file/row in context** and decides, like an engineer, whether it's malicious or legitimate (a minified library, a code-snippet plugin, an AMP handler, etc.).\n2. **Classifies** it as *confirmed*, *needs a human*, or *false alarm*. Only *confirmed* items are removed.\n3. **When unsure, it flags for review** instead of deleting. A file it leaves for you is recoverable; a wrongly deleted file that breaks your site is not.\n\n\u003c/details\u003e\n\n---\n\n## Connecting your site\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eThree ways to connect (SproutOS recommended, none required)\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\n| Gateway | Needs | Best for |\n|---|---|---|\n| **[SproutOS](https://github.com/posimyth/sproutos)** *(recommended)* | An Application Password | No SSH — connects right inside WordPress |\n| Any other WordPress MCP | The MCP connected | If you already run one |\n| **SSH + WP-CLI** | Shell access | Most complete access |\n\nSproutOS turns any WordPress site into an MCP server over an Application Password — no SSH needed. It's a **doorway, not a dependency**. Command mapping for each gateway: [references/mcp-gateways.md](references/mcp-gateways.md).\n\n\u003c/details\u003e\n\n---\n\n## What it detects\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003e38 malware families\u003c/b\u003e — click to expand\u003c/summary\u003e\n\n\u003cbr\u003e\n\nSEO-spam cloaking · the Japanese keyword hack · pharma \u0026amp; gambling spam · redirect malware · web-shells · auto-login backdoors · uploader scripts · PHP stream-wrapper payloads hidden in images · fake \"core function\" loaders that rebuild from the database · unauthenticated REST-route backdoors · PHP object injection · `wp-config.php` injection · malicious `.htaccess` rules and `DirectoryIndex` hijacks · `?g=` query-string spam · malicious cron jobs · unexpected admin accounts · rogue application passwords · card skimmers · cryptominers · SSH-key backdoors · files disguised as images · core-filename typosquats · double-extension shells · injected sitemaps · server-level persistence · and more.\n\nFull, explained list: [references/signature-library.md](references/signature-library.md) · the deep-dive on each family and how it hides: [references/malware-families.md](references/malware-families.md).\n\n\u003c/details\u003e\n\n---\n\n## Standalone scripts\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eRun the engine directly — zero dependencies, stock Python 3\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\nYou don't need Claude to use the core scripts:\n\n```bash\n# 1. Check for spam shown only to search engines, across your whole sitemap\npython3 scripts/cloaking_diff.py --sitemap https://example.com/sitemap.xml --origin-ip 1.2.3.4\n\n# 2. Deep-scan a WordPress folder for the 38 malware families\npython3 scripts/scan_patterns.py /path/to/wordpress --since 2026-06-14 --json findings.json\n\n# 3. Check installed plugins/themes against known vulnerabilities (free Wordfence feed)\npython3 scripts/wordfence_client.py --installed installed.json\n```\n\n| Script | Mode | What it does |\n|---|---|---|\n| `scripts/cloaking_diff.py` | Clean | Detects cloaking (bot vs browser, origin vs CDN, JS-redirect) |\n| `scripts/scan_patterns.py` | Clean | Pattern-scans a WordPress tree for malware candidates |\n| `scripts/safety_gate.py` | Remove/Harden | Refuses to act until *you* register a fresh backup → quarantine (never deletes) → auto-rollback |\n| `scripts/reinstall_clean.py` | Remove | Verifies core/plugins against official checksums; reinstalls from clean source |\n| `scripts/harden_actions.py` | Harden | 20 idempotent, reversible hardening actions (SAFE/RISKY/MANUAL); sentinel-wrapped, per-action rollback |\n| `scripts/hardening_audit.py` | Audit | Read-only config/exposure check (REST user-enum, XML-RPC, debug.log, headers…) |\n| `scripts/code_auditor.py` | Audit | Audits plugin/theme/custom code for vulnerabilities (SQLi, XSS, CSRF, access control…) |\n| `scripts/wordfence_client.py` | Audit | Matches installed versions against known CVEs |\n| `scripts/posture_score.py` | Audit | Aggregates findings into an A–F security score + ranked fixes |\n| `scripts/signatures.json` / `audit_rules.json` | — | The malware + code-audit pattern databases |\n\n\u003c/details\u003e\n\n---\n\n## How it cleans safely\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eThe \"don't break the site\" protocol\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\n- **Requires a fresh backup before it will touch anything** — *you* (or your host) take the backup; the tool does **not** create it for you. It then **refuses to delete anything until that backup is registered** and is under 24h old (enforced in code by `safety_gate.py`, not just a guideline). Read-only **Audit / Review never touch the site**, so they need no backup — the reminder is only for a destructive clean.\n- For malware injected into **real WordPress/plugin files**, it **replaces them from the official clean source** (`reinstall_clean.py`) instead of risky hand-editing.\n- **Moves** standalone bad files to a quarantine folder — it doesn't delete them.\n- **Checks the site still loads** after every change; if a change breaks something, it restores the file automatically.\n- **Asks you before anything permanent.**\n- **Re-checks as Googlebot** to confirm the spam is actually gone.\n\nIt aims to remove every infection it finds and leave the site working. No scanner can promise a site is *permanently* clean against future or unknown attacks, so it's honest about that: it lists anything it couldn't fully check and suggests a follow-up scan a day or two later to catch anything that tries to come back. Full protocol: [references/remediation-playbook.md](references/remediation-playbook.md).\n\n\u003c/details\u003e\n\n---\n\n## Documentation\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eAll guides — click to expand\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\n| Document | What's inside |\n|---|---|\n| [SKILL.md](SKILL.md) | Suite router — points to the three skills |\n| [skills/wp-security-audit/SKILL.md](skills/wp-security-audit/SKILL.md) | The read-only audit methodology (A–F posture) |\n| [skills/wp-malware-removal/SKILL.md](skills/wp-malware-removal/SKILL.md) | The 12-layer clean methodology |\n| [skills/wp-hardening/SKILL.md](skills/wp-hardening/SKILL.md) | The safe/reversible hardening methodology |\n| [ROADMAP.md](ROADMAP.md) | What's shipped and what's next |\n| [SPEC.md](SPEC.md) | Product \u0026amp; security specification |\n| [docs/research-2026-07-wp-security.md](docs/research-2026-07-wp-security.md) | Sourced research behind detection, hardening \u0026amp; audit |\n| [references/gateway.md](references/gateway.md) | Reaching the site over SproutOS / any WP MCP / SSH+WP-CLI |\n| [references/detection-playbook.md](references/detection-playbook.md) | Every layer's commands, per gateway |\n| [references/remediation-playbook.md](references/remediation-playbook.md) | Safe removal: backup → quarantine → verify → rollback |\n| [references/hardening.md](references/hardening.md) | The SAFE/RISKY/MANUAL hardening control reference |\n| [references/cloaking-detection.md](references/cloaking-detection.md) | The bot-vs-browser method in depth |\n| [references/malware-families.md](references/malware-families.md) | The malware families + 2026 threat landscape |\n| [references/signature-library.md](references/signature-library.md) | Human-readable signature list |\n| [references/edge-cases.md](references/edge-cases.md) | Multisite, custom prefixes, reinfection, safeguards |\n| [references/mcp-gateways.md](references/mcp-gateways.md) | Connecting via SproutOS / other MCP / SSH |\n| [references/wordfence-integration.md](references/wordfence-integration.md) | Free Wordfence feed setup |\n| [references/growing-the-database.md](references/growing-the-database.md) | How to grow the vulnerability + attack-pattern coverage |\n| [references/incident-case-study.md](references/incident-case-study.md) | A real hack, start to finish |\n\n\u003c/details\u003e\n\n---\n\n## FAQ\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eHow do I remove the Japanese keyword hack?\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\nConnect the tool to your site and say *\"remove the Japanese keyword hack.\"* It looks for the spam pages that appear only to search engines, rogue sitemaps, `.htaccess` tricks, and database injections, cleans them safely, and re-checks as Googlebot to confirm they're gone.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eMy WordPress site redirects visitors to spam. Can it help?\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\nYes — it looks for redirect code in `.htaccess`, the database, theme files, and injected JavaScript, including redirects that only trigger on mobile or for search engines.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eMy scanner says the site is clean, but Google flags it. Why?\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\nSome infections (called *cloaking*) show spam only to search engines and clean content to everyone else — including scanners. This tool checks your pages *as Googlebot*, which is how it can spot that kind of infection.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eDoes it work without SSH?\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\nYes. Connect [SproutOS](https://github.com/posimyth/sproutos) (over an Application Password) and it runs without shell access.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eWill it break my site?\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\nIt's designed not to: it backs up first, quarantines instead of deleting, and checks the site after every step, restoring anything that causes a problem.\n\n\u003c/details\u003e\n\n---\n\n## A real example\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eA hidden gambling-spam infection a normal scan didn't catch\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\nA live WordPress site was infected with gambling spam that **only appeared in Google search results** — the site looked completely normal to visitors and to the security scanner that was active on it. The malware was hiding in folders **outside** `wp-content`, plus a tiny backdoor file that kept letting the attacker back in.\n\nThis tool is built to find exactly that kind of hidden infection. The full, step-by-step write-up is included as a worked example and regression test: [references/incident-case-study.md](references/incident-case-study.md).\n\n\u003c/details\u003e\n\n---\n\n## Contributing\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eNew detection patterns are always welcome\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\nMalware changes constantly. The pattern list ([`scripts/signatures.json`](scripts/signatures.json)) is easy to extend — add a family, add a safeguard against false alarms, and open a PR. Found something it missed? [Open an issue](https://github.com/adityaarsharma/wordpress-malware-removal/issues) with a sanitized sample.\n\n**If this helped you, a star helps others find it.**\n\n\u003c/details\u003e\n\n---\n\n## Works well alongside\n\n[Wordfence](https://www.wordfence.com/), [MalCare](https://www.malcare.com/), and [Sucuri](https://sucuri.net/) are well-known WordPress security tools; running an independent second scan is always sensible. This project uses [SproutOS](https://github.com/posimyth/sproutos) as its recommended gateway and the free [Wordfence Intelligence](https://www.wordfence.com/threat-intel/) vulnerability feed.\n\n## License\n\n[AGPL-3.0-or-later](LICENSE). Strong copyleft: you're free to use, modify, and self-host it, but if you run a **modified** version as a network service, you must share your source. This keeps hosted derivatives open.\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\u003csub\u003eBuilt by \u003ca href=\"https://adityaarsharma.com\"\u003eAditya Sharma\u003c/a\u003e\u003c/sub\u003e\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadityaarsharma%2Fwordpress-malware-removal","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadityaarsharma%2Fwordpress-malware-removal","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadityaarsharma%2Fwordpress-malware-removal/lists"}