Introducing Wordfence CLI 3.0.1: Now With Automatic Remediation!

Note: This post refers to Wordfence CLI, the command line tool for operations teams to rapidly scan large numbers of WordPress websites for vulnerabilities and malware, not the Wordfence plugin which is deeply integrated into WordPress and provides additional functionality, like a firewall, two-factor authentication and more.

We’re excited today to announce Wordfence CLI 3.0.1, codename “Ghost Rider” which has a much requested new feature: automatic remediation! Wordfence CLI can scan thousands of sites at once, and uncover massive infections. Automatic remediation provides a way to remove this malware en masse. Any malware found by Wordfence CLI in existing WordPress files can be automatically removed by restoring the file to its original contents.

We’ve seen other server based malware scanners use more destructive methods of malware removal, such as deleting or chmod’ing files containing malware that causes production sites to whitescreen, since the file containing the malware is a WordPress core file. Automatic remediation in Wordfence CLI is designed specifically to prevent this scenario while removing the underlying malware infection.

Automatically Clean Infected WordPress Files

Here’s an example of automatic remediation in action.

wordfence malware-scan --output-columns filename -m null-delimited /var/www/wordpress | wordfence remediate

This command runs Wordfence CLI’s malware scan on the path /var/www/wordpress. Any malware found will be sent to the wordfence remediate command which performs the automatic repair of the file if it belongs to the WordPress installation.

How It Works

At Wordfence, we maintain a copy of the WordPress plugins, themes, and core source code repositories. When running wordfence remediate, CLI checks if the file containing malware exists in our copy at the path for the plugin/theme/core version. If it’s found, CLI restores the original contents of the file. Any file that doesn’t exist in our copy of the repository is passed back to stdout to be handled separately. The Wordfence plugin has a “Repair” resolution for scan results that performs the same action.

Repair Everything Repairable, and Delete Everything Else

We do recommend reviewing the scan results prior to deleting any files from a production system. That being said, if you do want to perform an automatic repair followed by deleting any files not part of the WordPress installation, you can use the following command:

wordfence malware-scan --output-columns filename -m null-delimited /var/www/wordpress | wordfence remediate --output-columns path -m null-delimited -u | xargs -0 rm

This runs Wordfence CLI’s malware scan and remediation on a WordPress installation under /var/www/wordpress and automatically repairs any files infected with malware. Any additional files are piped to rm for deletion.


In today’s post we detailed an exciting new feature in Wordfence CLI that will help administrators remove malware from their systems without causing an outage. For instructions on how to upgrade your existing Wordfence CLI installation, view our documentation here.

Did you enjoy this post? Share it!


  • It is good that you make it. This feature is very affective for malware. As WordPress website developer, as well malware cleaning person i do same thing as your this feature do.

    But pass few months i saw some malware code written in wflogs folder. (i send to wordfence team. I did know they see those files or not.) but i would if you make such feature that detect malware in wordfence plugin( by chance if wordfence plugins file infected by malware), how is it?.

    Overalls this feature will help alot. I will definitely use it.

    Also, i have some request that if leave malware signature after 15 days instead of 30 days. Then it will be better for free version of wordfence.

    WordPress website developer.

    • Hi Zeeshan, we've seen malware hide itself in a variety of files in WordPress including the wflogs directories. Any PHP file that's included in WordPress's execution is a valid target. It's one of the reasons we've built out automatic remediation, to help address that scenario.

  • Hi Matt, awesome thanks. Our clients have been under attack last week, with us needing to recover around 4 sites. In all cases it was an SQL injection through some XSS vulnerability.

    I feel like currently one of the "tools" missing for me is effectively "sounding the alarm" or applying some kind of action when the site has been hacked. But in 90% of the cases we get notified by the client that something is wrong.

    How can all of us detect something is not correct with our websites more effectively? Obviously a scan can detect, but not always.

    For example if we used the CLI to restore a site, would we need to create a script of our own that monitors a "healthy frontpage" and if a "broken" frontpage is detected it executes some commands?

    Thanks and warm regards

    • Hi Julien, Wordfence CLI can email you in the event it finds malware during a scan which would "sound the alarm". If you are looking more for something like an uptime health check for a site, there are services like BetterUptime that can do this.

  • Does the Wordfence Premium already have the Wordfence CLI installed?