If you Wordpress was hacked ?

wp-verify-checksums.notification.md

Description

This script check Wordpress integrity and send email if something wrong. You shoud add it to crontab like this 0 */1 * * * /opt/check_wordpress_infected.sh > /dev/null

Script

#!/bin/bash 

WP_RESULT=$(/usr/local/bin/wp core verify-checksums --allow-root --path=/var/www/web/ 2>&1)
IS_OK=${WP_RESULT:0:7}

if [ "$IS_OK" == "Success" ]; then
    echo "No problem found. Have a nice day!"
else
	echo "Problem is: >>> $WP_RESULT <<<"

 echo "Problem found: $WP_RESULT " | mail -s "Wordpress problem" your_email@gmail.com

     fi

Find files

If you wordpress was infected you can find files wich was created after some day.

find /var/www/web/ -type f -newerat 2020-09-08 ! -newerat 2020-09-09

List all files modified in the last 3 days

$ find ./ -type f -mtime -3

Grep files

find /var/www/web/ -mtime -2 -name '*.php*' | xargs grep -iP "(exec|system|gzinflate|md5|eval|base64_decode)\s*\("

i have multiple websites in this path /var/www/ how do loop the script?

Take a look at this line
WP_RESULT=$(/usr/local/bin/wp core verify-checksums --allow-root --path=/var/www/web/ 2>&1)

Here is path --path=/var/www/web/ you need to change to your site. Somethink like
WP_RESULT=$(/usr/local/bin/wp core verify-checksums --allow-root --path=/var/www/web-site1/ 2>&1)
WP_RESULT=$(/usr/local/bin/wp core verify-checksums --allow-root --path=/var/www/web-site2/ 2>&1)