Note: This post refers to Wordfence CLI, the command line tool for operations teams to rapidly scan large numbers of WordPress websites for vulnerabilities and malware, not the Wordfence plugin which is deeply integrated into WordPress and provides additional functionality, like a firewall, two-factor authentication and more.
We’re excited today to announce Wordfence CLI 3.0.1, codename “Ghost Rider” which has a much requested new feature: automatic remediation! Wordfence CLI can scan thousands of sites at once, and uncover massive infections. Automatic remediation provides a way to remove this malware en masse. Any malware found by Wordfence CLI in existing WordPress files can be automatically removed by restoring the file to its original contents.
We’ve seen other server based malware scanners use more destructive methods of malware removal, such as deleting or chmod’ing files containing malware that causes production sites to whitescreen, since the file containing the malware is a WordPress core file. Automatic remediation in Wordfence CLI is designed specifically to prevent this scenario while removing the underlying malware infection.
Automatically Clean Infected WordPress Files
Here’s an example of automatic remediation in action.
wordfence malware-scan –output-columns filename -m null-delimited /var/www/wordpress | wordfence remediate
This command runs Wordfence CLI’s malware scan on the path /var/www/wordpress. Any malware found will be sent to the wordfence remediate command which performs the automatic repair of the file if it belongs to the WordPress installation.
How It Works
At Wordfence, we maintain a copy of the WordPress plugins, themes, and core source code repositories. When running wordfence remediate, CLI checks if the file containing malware exists in our copy at the path for the plugin/theme/core version. If it’s found, CLI restores the original contents of the file. Any file that doesn’t exist in our copy of the repository is passed back to stdout to be handled separately. The Wordfence plugin has a “Repair” resolution for scan results that performs the same action.
Repair Everything Repairable, and Delete Everything Else
We do recommend reviewing the scan results prior to deleting any files from a production system. That being said, if you do want to perform an automatic repair followed by deleting any files not part of the WordPress installation, you can use the following command:
wordfence malware-scan –output-columns filename -m null-delimited /var/www/wordpress | wordfence remediate –output-columns path -m null-delimited -u | xargs -0 rm
This runs Wordfence CLI’s malware scan and remediation on a WordPress installation under /var/www/wordpress and automatically repairs any files infected with malware. Any additional files are piped to rm for deletion.
In today’s post we detailed an exciting new feature in Wordfence CLI that will help administrators remove malware from their systems without causing an outage. For instructions on how to upgrade your existing Wordfence CLI installation, view our documentation here.
The post Introducing Wordfence CLI 3.0.1: Now With Automatic Remediation! appeared first on Wordfence.