We Built an Open-Source MCP Server to Clean Malware From 17 WordPress Sites in One Day — Here’s Everything We Learned

The Day Everything Broke

On February 6, 2026, we woke up to a nightmare scenario. Seventeen WordPress sites — all managed by our agency — were compromised in what turned out to be a coordinated malware campaign. Hidden administrator accounts, file manager backdoors, password resets across every site, and fake plugins disguised with random folder names. The attackers had been thorough.

We had already documented the anatomy of these multi-vector WordPress malware attacks just days earlier — but this time it was our own sites in the crosshairs.

We needed a way to scan, clean, and harden all seventeen sites fast. Manual cleanup would take days. So we built something: an open-source Model Context Protocol (MCP) server that turns Claude Code (or Claude Desktop) into a full WordPress malware cleanup workstation. We’re releasing it publicly so every WordPress developer and agency can use it.

GitHub Repository: vapvarun/wp-malware-cleanup-mcp

What Is an MCP Server (And Why Should You Care)?

The Model Context Protocol (MCP) is an open standard created by Anthropic that lets AI assistants like Claude connect to external tools and data sources. Think of it as a plugin system for AI — instead of Claude just chatting, it can actually do things: run commands on servers, scan files, generate reports, and take action.

Our MCP server gives Claude the ability to:

• SSH into your WordPress servers
• Run WP-CLI commands remotely
• Scan for 70+ known malware signatures
• Quarantine malicious files (safely, with recovery)
• Reinstall WordPress core and plugins from official sources
• Harden security (passwords, salts, permissions, .htaccess)
• Generate detailed cleanup reports
• Manage 20+ sites from a single interface

You talk to Claude in plain English — “scan my-site for malware” — and it executes the full scan pipeline over SSH, returning structured results.

The February 2026 WordPress Malware Campaign: What We Found

Before diving into the tool, let’s document what we were actually fighting. Understanding the attack is the first step to defending against it.

Attack Vector: Application Passwords

The attackers didn’t brute-force passwords or exploit a plugin vulnerability. They used WordPress Application Passwords — a feature added in WordPress 5.6 that lets external apps authenticate via the REST API.

On each compromised site, we found an application password named auto-bootstrap tied to a legitimate admin account. This gave the attacker full REST API access without triggering login-based security alerts. It’s the perfect silent entry point because:

• Application passwords bypass two-factor authentication
• They don’t show up in normal login logs
• Most security plugins don’t monitor them
• They persist even if the main admin password is changed

Stage 1: Fake Plugins with Random Names

Once inside, the attackers uploaded malicious plugins disguised as legitimate ones. But here’s the clever part — they used random 6-8 character lowercase folder names like vpszslr, pdbyuut, and lkhlgay. Inside each folder, the plugin header said “Protect Uploads” — a perfectly innocent-sounding name.

This defeats security scanners that maintain blocklists of known malicious plugin names. The detection rule we built catches them:

^[a-z]{6,8}$  # Matches random 6-8 lowercase letter folder names

Across our 17 sites, we found 2-4 fake plugins per site, each with slightly different folder names but identical malicious functionality.

Stage 2: The Hidden Admin Backdoor

This was the most sophisticated component. The malware:

1. Created a hidden administrator account with the username admlnlx (note: looks like “adminlx” — typosquatting) and email wordpresupport@{domain} (note: missing ‘s’ in “wordpress”)
2. Hooked into WordPress user queries via pre_user_query to exclude the malicious admin from all user lists — making it completely invisible in the WordPress admin panel
3. Decremented user counts by manipulating the views_users filter, so the “All Users” count wouldn’t reveal an extra account
4. Reset ALL legitimate admin passwords using a domain-based password generation algorithm — unique per site but predictable for the attacker
5. Hid itself from the plugins list using the all_plugins filter

The malware tracked its state using three wp_options entries:

• _pre_user_id — Stored the hidden admin’s user ID for query manipulation
• theme_dc_aluma_tools — Flag indicating the malicious admin was created
• theme_aluma_times — Flag indicating passwords were already reset

Stage 3: File Manager Web Shell

For persistent access beyond WordPress, the attackers installed a PHP file manager (wp_test.php) that provided:

• Full filesystem browsing
• File upload, edit, rename, and delete capabilities
• Color-coded permission display
• No authentication required — anyone with the URL had full server access

The Numbers

Inside the WP Malware Cleanup MCP Server

Now let’s walk through the tool we built to fight back. The server has 50+ specialized tools organized into logical categories.

Architecture

The server is built with:

• Python 3.12 with the FastMCP framework
• SSH/WP-CLI for remote execution — no WordPress plugins needed on the server
• Local data storage in ~/.wp-malware-cleanup/ — nothing sensitive touches the cloud
• Community threat intelligence — 70+ malware signatures with a contribution model

Multi-Site Management

The first problem we solved was managing 17 sites from one place. Each site is registered with its SSH credentials:

wp_add_site(
    name="my-site",
    host="147.182.198.163",
    username="sshuser",
    wp_path="/home/sshuser/web/example.com",
    auth_type="password",
    site_url="https://example.com"
)

Security note: Passwords are never stored on disk. They’re passed via the SSHPASS environment variable at runtime and discarded after each SSH session. For production, we recommend SSH key authentication.

Comprehensive Scanning

A single wp_full_scan command runs nine checks in sequence:

1. Core File Verification — Compares every WordPress core file against official checksums. On one site, this caught wp-includes/SimplePie/src/Core.php — a file that shouldn’t exist in core
2. Plugin Integrity Check — Verifies plugins against WordPress.org repository versions
3. Suspicious Plugin Detection — Our custom scanner that catches randomly-named folders
4. Hidden Admin Detection — Looks for typosquatted usernames, suspicious emails (@local.invalid), and recently created admin accounts
5. Application Password Audit — Catches suspicious app passwords like auto-bootstrap
6. Web Shell Detection — Scans for file manager backdoors using 15+ detection patterns
7. MU-Plugin Scan — Checks must-use plugins for hidden malware
8. Uploads Security — Finds PHP files that should never exist in wp-content/uploads
9. Deep Pattern Matching — Runs 70+ regex signatures against all PHP files

The Quarantine System

Instead of deleting files immediately (which can break a site or destroy forensic evidence), the server moves suspicious files to a quarantine directory with full metadata:

• Original path preserved
• Timestamp of quarantine
• File hash for threat intelligence
• Recovery possible at any time

Quarantine directories use cryptographically secure random names (SHA256-based) to prevent attackers from guessing file locations.

One-Command Complete Cleanup

The wp_complete_cleanup tool runs the entire remediation pipeline in one command:

1. Database backup (secure random filename)
2. Reset all admin passwords
3. Regenerate security salts (invalidates all sessions)
4. Clean PHP files from uploads
5. Harden wp-config.php (9 security constants)
6. Install security MU-plugin (disables app passwords, XML-RPC, file editing)
7. Fix file permissions (644 for files, 755 for directories)
8. Update WordPress core, all plugins, and all themes

Security Hardening MU-Plugin

The server installs a must-use plugin that applies permanent security hardening:

• Disables Application Passwords entirely — the attack vector used in this campaign
• Disables XML-RPC — blocks brute force and DDoS amplification attacks
• Disables file editing — prevents code changes from the WordPress admin
• Adds security headers — X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy
• Hides WordPress version — from page source and asset URLs
• Blocks user enumeration — via author archives and REST API
• Logs failed login attempts — with IP address and timestamp
• Disables pingbacks — prevents DDoS amplification

The Community Threat Intelligence Database

One of the most valuable parts of this project is the community-driven threat intelligence database. When you clean malware from a site, the tool can learn the file hashes and patterns. These get stored locally and can be exported for community contribution.

70+ Malware Signatures

The community-signatures.json file ships with 70+ detection patterns organized by category:

Each signature includes severity level, false positive paths (to avoid flagging legitimate vendor code), and remediation guidance.

How to Contribute

After cleaning a site, you can export your discoveries:

# Learn from a cleanup
wp_threat_learn_from_cleanup("/path/to/malware.php", "abc123hash", "backdoor", "Description")

# Export for contribution
wp_threat_export()

# Submit a PR to the GitHub repo with your signatures

Critical Discovery: The wp core download –force Blind Spot

During cleanup, we discovered a critical gap in the standard WordPress reinstallation process that every WordPress security guide gets wrong.

Running wp core download --force replaces all official WordPress files with clean versions. Most cleanup guides stop there. But this command does NOT delete extra injected files — it only overwrites existing ones.

On one site, 17 backdoor files survived a full core reinstall because they were injected as new files in core directories (like wp-includes/SimplePie/src/Core.php).

The fix is to always follow the reinstall with a checksum verification and cleanup:

wp core verify-checksums 2>&1 | grep "should not exist" | awk '{print $NF}' | xargs rm -f

Our MCP server handles this automatically — wp_reinstall_core runs the verification after the download and removes any files that shouldn’t exist.

Step-by-Step: How to Use the MCP Server

Here’s how to set up and use the tool for your own sites.

Prerequisites

• macOS 13+ (or Linux — the tool is cross-platform)
• Claude Code CLI installed
• uv (Python package manager)
• Python 3.12

Installation (5 Minutes)

# 1. Install system deps
brew install [email protected] sshpass

# 2. Clone the repository
git clone https://github.com/vapvarun/wp-malware-cleanup-mcp.git \
    ~/.claude/wp-malware-cleanup-mcp
cd ~/.claude/wp-malware-cleanup-mcp

# 3. Create venv and install dependencies
uv venv --python 3.12 .venv
uv pip install -r requirements.txt

# 4. Register with Claude Code
claude mcp add -s user wp-malware-cleanup -- \
    ~/.claude/wp-malware-cleanup-mcp/.venv/bin/python \
    ~/.claude/wp-malware-cleanup-mcp/server.py

# 5. Restart Claude Code
claude

Your First Cleanup

# Add a site
wp_add_site(name="my-site", host="1.2.3.4", username="deploy",
            wp_path="/var/www/html", auth_type="key",
            key_path="~/.ssh/id_rsa")

# Test connection
wp_test_connection("my-site")

# Run full scan
wp_full_scan("my-site")

# If infected — run complete cleanup
wp_complete_cleanup("my-site")

# Verify
wp_full_scan("my-site")

# Generate report
wp_generate_report("my-site")

Batch Operations

Managing multiple sites? Scan them all at once:

# Scan all configured sites
wp_batch_scan()

# Update all clean sites
wp_batch_update()

Indicators of Compromise (IOC) Checklist

Use this checklist to manually verify whether your site has been hit by this campaign:

Database Checks

SELECT option_name, option_value FROM wp_options
WHERE option_name IN ('_pre_user_id', 'theme_dc_aluma_tools', 'theme_aluma_times');

If any of these return results, your site is compromised.

User Checks

• Look for usernames starting with adm followed by random characters
• Check for emails containing wordpresupport@ (missing ‘s’)
• Check for emails ending in @local.invalid
• Look for admin accounts created in the last 30 days

File System Checks

• Plugin folders with 6-8 random lowercase letters (e.g., vpszslr)
• Files named wp_test.php in plugin directories
• PHP files in wp-content/uploads/
• Extra files in wp-includes/ that fail checksum verification

Application Password Check

SELECT user_id, meta_value FROM wp_usermeta
WHERE meta_key = '_application_passwords';

Look for entries named auto-bootstrap, backup, sync, api, or bot.

Why We Open-Sourced This

WordPress powers over 40% of the web. When a malware campaign hits, it doesn’t discriminate between a Fortune 500 company and a small business owner. Most site owners can’t afford professional malware cleanup services that charge $200-500 per site.

By open-sourcing this tool, we’re making professional-grade malware cleanup accessible to:

• WordPress agencies managing multiple client sites
• Freelance developers who handle maintenance for clients
• Site owners with SSH access who want to clean their own sites
• Security researchers studying WordPress malware patterns

The community threat intelligence database means that every cleanup makes the tool smarter. When you discover a new malware variant and contribute its signature, every other user of the tool can detect it automatically.

Lessons Learned From Cleaning 17 Sites

After a full day of battling this campaign, here are the key takeaways:

1. Application Passwords are the new attack surface. If you’re not actively using them, disable them entirely. Our security MU-plugin does this automatically.
2. Random folder names are the biggest red flag. No legitimate WordPress plugin has a folder name like lkhlgay. If you see one, it’s almost certainly malware.
3. wp core download –force is not enough. Always verify checksums after reinstallation and delete files that shouldn’t exist.
4. Attackers install multiple backdoors. Finding one malicious plugin means there are likely 2-3 more. Always run a complete scan, not a spot check.
5. Database artifacts persist. Even after deleting malicious files, the wp_options entries (_pre_user_id, etc.) remain and can reactivate new malware. Always clean the database too.
6. Email typosquatting is subtle. wordpresupport@ looks almost legitimate at a glance. Train yourself to spot missing characters.
7. Batch operations save hours. Cleaning 17 sites one-by-one manually would have taken 2-3 days. With batch scanning and templated cleanup, we finished in under 12 hours.
8. BuddyBoss sites generate false positives. The .htaccess files in BuddyBoss uploads directories (bb_videos, bb_medias, bb_documents) are legitimate and should not be removed.

What’s Next

This is version 1.0.0 of the MCP server, and we’re actively developing it. On the roadmap:

• Patchstack and WPScan integration — Sync with public vulnerability databases for real-time threat detection
• Automated scheduling — Set up recurring scans via cron
• Slack/email notifications — Get alerts when a scan finds issues
• YARA rule support — Import industry-standard detection rules
• More community signatures — We’re starting with 70+, but the WordPress malware ecosystem is vast

Get Started

The tool is free, open-source (MIT license), and ready to use today:

• GitHub: github.com/vapvarun/wp-malware-cleanup-mcp
• Full documentation: See the README for complete setup and usage instructions
• Case studies: Check the docs/case-studies/ directory for detailed malware analysis
• Contribute: Found new malware? Export your signatures and submit a PR

For a broader look at WordPress security fundamentals, check out our roundup of the best WordPress security plugins that complement this MCP server.

If you manage WordPress sites, this tool belongs in your security toolkit. The next campaign is already being planned. Be ready.

Questions? Reach out at wbcomdesigns.com or open an issue on GitHub.