Most WordPress hacks contain certain php code. It’s always better to catch the hack as soon as you can. Before customers start to ring, before the hack spreads and causes worse problems.
Following is a bash script that you can use to find potential hacked WordPress accounts.
if find /home/ -mtime -1 -type f -name '*.php*' | xargs grep -P -l '^(?=[\s]*+[^#])[^#|^\*]*(eval *\()' | xargs grep -l -E "str_replace *\(|gzinflate *\(|base64_decode *\("|grep -v -f /etc/scripts/findPhpHackedFiles.exclude; then echo found hacked files; #send an email alert or similar fi
The -1 above is the number of days to check, if you run the scripts from /etc/cron.daily/ then -1 is appropriate.
You need an exclude file, as some common plugins behave like hacked code, here are some of the entries you’ll need
virtfs quarantine plugins/worker/functions.php beaver thrive