I have been involved with quite a few WordPress sites in the last 5 years and ever so often one of the sites gets hacked (usually via some malfunction in a plugin or similar. Usually the result is one or more files getting installed in among the WordPress files – mostly to install a “backdoor” but lately also to use the site for crypto-mining.
During my time with these hacked websites, I have been collecting common identifiers for the malware being installed on the system. This ended up being quite a list of different identifiers and I ended up adding them to a script.
Every time I am asked to clean a hacked WordPress, the first thing I do is to run my script from the root folder of the WordPress installation. In 90% of the times I find the malware that got installed. I still have to go through the changed files one by one but at least some or most of the malware is already gone at this point.
I have decided to release the script via GitHub – feel free to add patches or modify it to your liking (it isn’t exactly programmed to be smart/fast/small/whatever).
You can find my script here https://github.com/kimusan/wp-cleaner
Let me know if you have ideas for how to improve it.