| name | wp-restore-core |
| description | Restore WordPress core files from a clean wordpress.org download. Overwrites core files only — preserves wp-content/ and wp-config.php. Use when core files have been tampered with or corrupted by malware.
|
| triggers | ["restore core","WordPress core corrupted","reinstall WordPress","core files tampered","fix WordPress installation"] |
Skill: wp-restore-core
Downloads a clean WordPress release from wordpress.org and rsyncs it over
the existing installation, overwriting only core files. wp-content/ and
wp-config.php are always excluded.
What it does
- Reads installed WP version (or use
--wp-version to specify one)
- Downloads
wordpress-{version}.tar.gz from wordpress.org to /tmp/
- Rsyncs core files into the WP root — excluding
wp-content/ and wp-config.php
- Removes the temp download
- Fixes file permissions on restored files
Usage
python scripts/restoration/wp-restore-core.py --config config/config.yaml
python scripts/restoration/wp-restore-core.py --config config/config.yaml --wp-version 6.5.4
python scripts/restoration/wp-restore-core.py --config config/config.yaml --dry-run
When to use
wp-deep-audit.py reports modified core files
wp-scan.py finds PHP shells in wp-includes/ or wp-admin/
- Site produces PHP errors after an attack (attacker overwrote core files)
- Version mismatch detected between database and filesystem
Finding the installed WP version
grep wp_version /path/to/wp-includes/version.php
SELECT option_value FROM wp_options WHERE option_name = 'db_version';
What is preserved
wp-content/ — all themes, plugins, uploads
wp-config.php — all site credentials and constants
.htaccess — all custom rules
After running
Always run wp-chmod-fix.py after restoring core to ensure correct permissions.