Reinstall WordPress core the clean way

Q: Does reinstalling core erase my posts and images?

No, as long as you touch neither `wp-content` (your media, themes, plugins) nor the database. Your posts and pages are in the database, your images in `wp-content/uploads`. The reinstall only covers `wp-admin`, `wp-includes` and the root PHP files.

Replacing WordPress core files with a clean version clears out a good chunk of an infection. Here's how to do it without touching your content or your settings.

By WP-Detox Published June 28, 2026 6 min read

Reinstalling WordPress core means replacing the CMS system files with a clean, official copy. When a site is hacked, part of the infection often lodges in these files: a modified xmlrpc.php, a fake wp-blog-header.php, code injected into the functions in wp-includes. By overwriting the whole core in one pass, you clean that perimeter in a few minutes, without guessing file by file what got touched.

The catch is knowing what you replace and what you leave intact. That’s where most people break their site.

what “core” actually means in WordPress

Core is WordPress’s own code, identical on every site running the same version. Three things:

the wp-admin folder (the entire admin interface);
the wp-includes folder (the internal functions and libraries);
the PHP files in the root: index.php, wp-login.php, wp-load.php, wp-settings.php, xmlrpc.php, and so on.

None of these files hold anything personal. You can overwrite them with their original version without a second thought, and they’ll be exactly what they’re supposed to be.

what you must never touch

Two things are specific to your install. Replace them and you lose the site.

wp-config.php: it holds your database credentials, your table prefix, your security keys. It isn’t part of core. Leave it alone (except to regenerate the salts, see below).
the wp-content folder: your themes, your plugins, your media (uploads), and sometimes cache or config files. This is all your content and customization. A core reinstall must never touch it.

Keep the line clear: wp-admin and wp-includes get replaced with your eyes closed, wp-config.php and wp-content stay put.

method 1: with wp-cli (the cleanest)

If you have SSH access and wp-cli installed, this is the fastest and most reliable route. Move to the site root, then first check the installed version:

wp core version

Then reinstall exactly that version. The command downloads the official core and overwrites wp-admin, wp-includes and the root PHP files, without touching wp-content or wp-config.php:

wp core download --version=6.5.3 --force --locale=en_US

Match --version to the number returned by wp core version and --locale to your site’s language. The --force flag allows overwriting existing files.

Then check that all core files match the official checksums published by WordPress:

wp core verify-checksums

If the command reports nothing, your core is clean. If it still flags modified files or extra files (often suspicious PHP files added to the root or to wp-includes), note them down: those are backdoor candidates worth a look. For that, see how to hunt down remaining backdoors.

method 2: manually over FTP

No SSH? The manual reinstall works everywhere, you just have to be strict about the version.

Find the site’s exact version. In the dashboard, it shows in the bottom right and under Dashboard > Updates. Without admin access, open wp-includes/version.php over FTP and read the $wp_version line.
Download the official archive for that version from wordpress.org. Older versions are available at wordpress.org/download/releases/. Never grab an archive from any other site.
Unzip the archive on your machine. Delete its wp-content folder first so you don’t risk overwriting yours.
Connect over FTP/SFTP. Delete the wp-admin and wp-includes folders on the server, then upload the fresh versions from the archive in their place. Deleting before uploading keeps a malicious file from lingering where the upload wouldn’t cover it.
Also upload the root PHP files from the archive (index.php, wp-login.php, etc.), overwriting the ones on the server. Don’t upload wp-config-sample.php in place of your wp-config.php, and don’t touch wp-content.

Download the exact same version that’s installed, not the latest one. Installing a newer version on top of an older database can require a database update and cause incompatibilities with your plugins. If you want to move up a version, do it afterward, cleanly, from the admin.

method 3: from the dashboard

WordPress has a built-in reinstall. Under Dashboard > Updates, the “Re-install version X.Y.Z” button re-downloads core and replaces the files.

Handy, but two limits:

it only works if you still have admin access. A site whose admin is locked or redirected by the attacker won’t let you click that button.
it’s almost never enough on its own. If an attacker has admin access or an active backdoor in wp-content, they can reinject code right after. Reinstalling from the admin cleans core, not the rest.

Treat this method as a quick patch, to be backed up by the rest of the cleanup.

after reinstalling core

Replacing core only disinfects core. An infection often lives elsewhere. Three must-do follow-ups.

start from official sources for the theme and plugins

Malicious code frequently hides in a theme or a plugin. Reinstall each plugin and your theme from the official WordPress repository or the developer’s site, at the same version, rather than keeping the files on the server. Uninstall anything you don’t use. Be wary of nulled plugins and themes (pirated versions of paid products): they’re a classic entry point.

regenerate the security keys (salts)

The salts in wp-config.php sign the login cookies. If an attacker grabbed them, they can stay logged in even after a password change. Regenerate them. Generate a new block at api.wordpress.org/secret-key/1.1/salt/, then replace the eight matching lines in wp-config.php (from AUTH_KEY to NONCE_SALT). With wp-cli, one command does it:

wp config shuffle-salts

Every active session is invalidated at once. While you’re at it, change the passwords on the admin accounts.

check the site

Reload the site and the admin. Confirm the front end displays normally, that you can log in, that no PHP warnings show up. Run wp core verify-checksums again if you have wp-cli. Do a Google search for site:yourdomain.com to spot any spam pages still indexed.

what reinstalling core does not do

Reinstalling core replaces files. It does not restore content. If the attacker deleted or changed your posts, your pages, or settings stored in the database, no core reinstall will bring them back: that data doesn’t live in the core files but in the database. Content recovery is its own topic, covered in restore your content after the hack.

Think of reinstalling core as one step in the cleanup, not the whole cleanup. To place this step within the full process, keep the complete guide to a hacked WordPress handy.

faq

Does reinstalling core erase my posts and images? No, as long as you touch neither wp-content (your media, themes, plugins) nor the database. Your posts and pages are in the database, your images in wp-content/uploads. The reinstall only covers wp-admin, wp-includes and the root PHP files.

Should I reinstall the latest version or the same one? The same version that’s already installed. Reinstalling an identical version triggers no database migration. Updating to a newer version is a separate operation, to be done afterward, from the admin once the site is clean.

Is reinstalling core enough to clean a hacked site? Rarely. It cleans core, but the infection often sits in a plugin, a theme, the uploads folder, or the database. You need to back it up with a wp-content check, a backdoor hunt, and regenerated credentials.

Want certainty that everything is clean, not just the core? WP-Detox runs a free scan of your site, then a full cleanup in about thirty minutes: core, plugins, theme, database, and backdoors. €149 all-in, with a backup taken before any work and a refund if we fail to disinfect the site.