{"id":20217671,"url":"https://github.com/pforret/wp_cleanup","last_synced_at":"2026-05-07T00:37:44.530Z","repository":{"id":144772989,"uuid":"235206578","full_name":"pforret/wp_cleanup","owner":"pforret","description":"Script to clean up infected WordPress installations","archived":false,"fork":false,"pushed_at":"2023-04-12T19:34:22.000Z","size":361,"stargazers_count":13,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-08-13T06:09:31.948Z","etag":null,"topics":["bash","bashew","cleanup","hacking","security","wordpress"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pforret.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-01-20T21:57:06.000Z","updated_at":"2025-07-14T00:49:23.000Z","dependencies_parsed_at":null,"dependency_job_id":"db2ea164-fdea-476a-a12d-ca0ec80200bd","html_url":"https://github.com/pforret/wp_cleanup","commit_stats":null,"previous_names":["pforret/repair_wp_hack"],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/pforret/wp_cleanup","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pforret%2Fwp_cleanup","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pforret%2Fwp_cleanup/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pforret%2Fwp_cleanup/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pforret%2Fwp_cleanup/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pforret","download_url":"https://codeload.github.com/pforret/wp_cleanup/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pforret%2Fwp_cleanup/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32528223,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-02T01:12:54.858Z","status":"online","status_checked_at":"2026-05-02T02:00:05.923Z","response_time":132,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bash","bashew","cleanup","hacking","security","wordpress"],"created_at":"2024-11-14T06:35:02.971Z","updated_at":"2026-05-02T08:32:33.169Z","avatar_url":"https://github.com/pforret.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"![GH stars](https://img.shields.io/github/stars/pforret/wp_cleanup)\n![GH tag](https://img.shields.io/github/v/tag/pforret/wp_cleanup)\n![Shellcheck CI](https://github.com/pforret/wp_cleanup/workflows/Shellcheck%20CI/badge.svg)\n![GH Language](https://img.shields.io/github/languages/top/pforret/wp_cleanup)\n![GH License](https://img.shields.io/github/license/pforret/wp_cleanup)\n[![basher install](https://img.shields.io/badge/basher-install-white?logo=gnu-bash\u0026style=flat)](https://basher.gitparade.com/package/)\n\n# WP CLEANUP\n\n    Script to clean up infected WordPress installations\n\n![](assets/cleanup.jpg)\n\n## When to use this\nWhen your WordPress installation has been hacked, and one or more WordPress source code files have been changed.\nThe effect could be that\n* your site is still accessible, but when you try to access `/wp-admin` you get an 403 (access denied) error\n* your site is off-line, gives an error 500 (server error), or shows an empty page, or a WordPress error \"_There has been a critical error on this website._\"\n* your site is still accessible but inserts malicious code that generates popup advertising or redirects to other websites\n\nYou should go and check the WordPress files with a SSH console or through an (s)FTP connection. Files that were installed by WordPress might have been changed by malicious code (virus/trojan/infection, whatever you want to call it).\n\nA typical example is the `./index.php` file. Normally it should only contain\n```php\n\u003c?php\n/**\n   comments don't really matter, there are only 2 lines of real code to be executed \n */\ndefine( 'WP_USE_THEMES', true );\nrequire __DIR__ . '/wp-blog-header.php';\n```\n\nSome viruses insert extra hard-to-read PHP code in to `index.php`:\n```php\n\u003c?php\n $PxzcQOgNk = function($jWC9KOqRQtX9 ,$MDafuOVYz) {\n $lKnbe=\"_Qf5zyRU\";\n }\nreturn $lKnbe;\n(...)\nevAL($XG51n);; ?\u003e\u003c?php  define('WP_USE_THEMES', true );require(__DIR__.  '/wp-blog-header.php' ); ?\u003e\n```\n\nThey might also create new files \n(like `admin.php`, which sounds official, but is not part of a normal WP installation), \nor new folders \n(like `psp/`, which again is not part of a normal WP installation).\n\nWhat you want to do in this case, is restore all WordPress source code files to their original state.\nThis is what this script does.\n\n## Installation \n* log in to your hacked server (via ssh)\n* cd to a folder where you have 'write' permissions\n\n```bash\ngit clone https://github.com/pforret/wp_cleanup\ncd wp_cleanup\n./wp_cleanup -W [WP folder] fix\n✅  WordPress installation moved to [_infected.20230412_1643]\n✴️: # this folder should not be in a WP install -- remove it!\n✴️: # rm -fr '.../unusualdir'\n✅  Wordpress 6.2 downloaded!\n✅  Wordpress system restored!\n✅  Copied from themes: testtheme  \n✅  Copied from plugins: testplugin  \n✅  Wordpress settings copied!\n✅  Wordpress .htaccess set!\n✅  --- Wordpress cleanup was done\nDo you want to compress the infected files? [y/N] Y \n✅  old WordPress moved to _infected.20230412_1643.zip\n```\n\nThis will\n* move your current (infected) WordPress files to a backup folder\n* replace your `wp-admin` and `wp-includes` folders with those of a fresh WordPress install\n* replace your wp-*.php files with those of a fresh WordPress install\n* recover your original `wp-config.php` file\n* recover your original `wp-content`: themes,plugins,uploads\n* reset your `.htaccess` file\n\n## Usage\n\n```\nProgram : wp_cleanup  by peter@forret.com\nVersion : v0.1.5 (2023-04-12 16:49)\nPurpose : clean up infected WordPress installations\nUsage   : wp_cleanup [-h] [-q] [-v] [-f] [-l \u003clog_dir\u003e] [-t \u003ctmp_dir\u003e] [-W \u003cWP\u003e] [-M \u003cMULTI\u003e] \u003caction\u003e\nFlags, options and parameters:\n    -h|--help        : [flag] show usage [default: off]\n    -q|--quiet       : [flag] no output [default: off]\n    -v|--verbose     : [flag] also show debug messages [default: off]\n    -f|--force       : [flag] do not ask for confirmation (always yes) [default: off]\n    -l|--log_dir \u003c?\u003e : [option] folder for log files   [default: /home/pforret/.wp_cleanup/log]\n    -t|--tmp_dir \u003c?\u003e : [option] folder for temp files  [default: /home/pforret/.wp_cleanup/tmp]\n    -W|--WP \u003c?\u003e      : [option] WordPress installation folder  [default: .]\n    -M|--MULTI \u003c?\u003e   : [option] Multi-site setup: subdomain/subfolder\n    \u003caction\u003e         : [choice] action to perform  [options: detect,fix,check,env,update]\n\n### TIPS \u0026 EXAMPLES\n* use wp_cleanup detect to check if there is an infected WP installation in that folder\n  wp_cleanup -W /home/sites/wp_1 detect\n* use wp_cleanup fix to run the cleanup (reinstall WP)\n  wp_cleanup -W /home/sites/wp_1 fix\n* use wp_cleanup check to check if this script is ready to execute and what values the options/flags are\n  wp_cleanup check\n* use wp_cleanup env to generate an example .env file\n  wp_cleanup env \u003e .env\n* use wp_cleanup update to update to the latest version\n  wp_cleanup update\n* \u003e\u003e\u003e bash script created with pforret/bashew\n* \u003e\u003e\u003e for bash development, also check IO:print pforret/setver and pforret/IO:progressbar\n```\n\n## Valuable articles\n* [RESOLVED: cutwin Javascript injection (WordPress)](https://wordpress.org/support/topic/resolved-cutwin-javascript-injection/)\n* [FAQ My site was hacked (WordPress)](https://wordpress.org/support/article/faq-my-site-was-hacked/)\n* [Removing Malicious Redirects From Your Site (WordFence)](https://www.wordfence.com/learn/removing-malicious-redirects-site/)\n* [How To Completely Clean Your Hacked WordPress Installation](https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)\n\n## Test your site\n\n* https://sitecheck.sucuri.net/ (site keeps a cached version of your site, used a random parameter ?test=7763 after the URL to get a new scan)\n* http://www.unmaskparasites.com/\n* https://www.virustotal.com/gui/home/url\n\n## Check if your site has been flagged as unsafe\n\n* https://transparencyreport.google.com/safe-browsing/search\n* https://global.sitesafety.trendmicro.com/\n* https://www.trustedsource.org/","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpforret%2Fwp_cleanup","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpforret%2Fwp_cleanup","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpforret%2Fwp_cleanup/lists"}