WP-CLI lets you verify the integrity of WordPress core files as well as plugins. This means that if a file was tampered with, WP-CLI can tell you. It also will detect files that exist within WordPress core or a plugin that shouldn’t be there.
While this type of check isn’t going to be as thorough as a full security scan, it does cover a lot of ground and can be a quick way to alert you of issues. Also, it can be a great way of checking if a security plugin has been compromised.
We only have to use two WP-CLI commands. First, we’ll check the integrity of WordPress core.
wp core verify-checksums --version=$(wp core version)
The core verify-checksums command will detect your current WordPress version and verify the checksums for WordPress core to validate the integrity of your installation.
Just because a file exists that doesn’t belong, it doesn’t always mean that it was put there maliciously. For example, if you were to manually update the WordPress core files by copying a fresh install over top of an existing one, there may be some files left behind that were deleted from WordPress core by the new version. These are not malicious, but should probably be removed.
However, it is common for malicious files to be disguised as WordPress core files. Typically these files will have names that are similar to known core files, so don’t let your guard down just because a file name looks legit.
Next, we’ll check the integrity of the WordPress plugins.
wp plugin verify-checksums --all
The plugin verify-checksums command will run through all of your WordPress plugins and verify the checksums for the specific versions you have installed. This command will only be able to check plugins that exist on the WordPress.org plugin directory. If you are running premium plugins that you’ve obtained from other locations, then those won’t be checked.
As always, it is a good idea to backup your files before you go deleting things. Even if your site is hacked, you should back it up before fixing it. This allows you to fix the site quickly and then go back to the hacked code later and take your time to look at the malicious code, what it is doing, and help determine how your system might have been compromised. As with any hacked site, it is possible that a malicious file could have unlocked a backdoor somewhere else, so understanding the extent of the issue is important.