Malware? A website owner’s worse nightmare. In this article, we’ll show you how you can scan the WordPress database for malware and get rid of it.
For a website infected by malware, site owners must remove all malware from the site code and files. However, they may still notice malware behavior on their website.
This may be because the malware also infected the database. This is quite common but there is a way to recuperate the infected WordPress database.
To do this, users need to scan and clean the database right away. There are two possible methods – to scan and clean the database manually or to use a plugin.
This article outlines the process of scanning a WordPress database manually and with a plugin.
Hacked Database – How Does It Happen?
Malware gets into a database via injection codes in the WordPress files. If these files aren’t cleaned first, the code will re-insert its malware into the database.
File or database injection is the insertion of code into system files or the database. This code enables access for hackers.
Database injections are quite dangerous. The text used in different records can be reconstructed into malicious commands using a simple query.
WordPress utilizes a single MySQL database. This contains all the information and settings required for website administration.
That makes the database an easy target and the injections a common threat.
Before scanning the database, make sure to:
- Scan all WordPress files and remove all malware.
- Back up the database and files. If the web host doesn’t have any back-ups, download the content of the file server and database to a local environment.
Having done this, it’s now possible to scan the WordPress database for malware. Keep reading to find out how to do it.
How to Scan and Clean the WordPress Database Manually
Performing a manual scan and clean takes a lot of time. There is also the possibility of missing some hidden malware.
Any mistakes, like removing a wrong table or deleting a clean part of the code, may result in a broken website.
There are two frequent indicators of malware: Malicious PHP Functions and Unknown Links or iFrames. Set out below is how to find them manually.
Malicious PHP Functions
There are several PHP functions and commands that hackers like to use. They are not malicious in themselves and it is possible to utilize them in an ethical way.
However, if there are any present, the database is likely infected.
To identify database infection look for codes that are potentially malicious. These include base64_decode, gzinflate, error_reporting(0), and shell_exec.
Keep in mind though, that such codes are not malicious in all instances. Some programmers utilize these codes to implement some legitimate functions.
Unknown Links or iFrames
Going through the content of the website will help to discern what other items to look for. An infected site will often also have malicious iFrames and redirect links.
Hackers inject unknown links and iFrames into the site and camouflage them. So it’s necessary to examine the site code to pick them out.
One way to do that is to display and review the codes using a tool called Online cURL. Look for any undesired codes or iffy text such as a name of a pharmaceutical drug.
Step 1: Export the Database SQL
To search through the database, first, export it as text. This is possible via the database tool provided by the web host.
The explanation below details how to do this using phpMyAdmin.
PhpMyAdmin enables users to manage their database. It is usually installed in most hosting environments.
Use an export option in the phpMyAdmin panel to export the whole database. Save it to the “backup-pre-cleanup” folder.
First, log in to the cPanel dashboard, scroll to the “Databases” section and click on phpMyAdmin. Next, choose the database from the list on the left-hand side.
Then, click on “Export” in the menu on top. The export method should be set to “Quick” and the format to “SQL”.
Click on “Go” and it’s done.
Another way to export the database is via SSH using this command:
mysqldump -p -h hostname -u username database > backup-pre-cleanup.sql
Input your database information in place of the hostname, username, and database. The database credentials are available from wp-config.php.
Note: After exporting the database using SSH, remember to download it to the local environment and delete it from the file server.
Finally, open it in a notepad and look for the malicious parts of the code.
Step 2: Search the Database Export
Start by looking through the exported SQL file for known exploitable PHP functions.
A cURL code review may have revealed suspicious links, iFrames, or text. If so, then also search for these in the database SQL report.
If any of them appear in the database, this indicates a probable malware infection.
It’s also possible to use Sublime to open the .SQL file directly. Then, using Ctrl+f, look for malicious content within the database.
Use the following commands:
- For iFrames: <iframe
- For base64: base64_decode
- For eval(): eval()
- For scripts: <script
Step 3: Clean Up the Database
After detecting a database infection, it is vital to perform a clean-up. The best technique is to restore the database to a time prior to the infection.
This is very straightforward for users who schedule automatic back-ups. Otherwise, it will be necessary to contact the web host for assistance.
Another method is to search for the malicious links, iFrames, or functions and remove them manually from the WordPress files. This requires a measure of advanced knowledge.
Follow the steps below to accomplish this task.
- Sign in to the database admin panel.
- Perform a backup of the database.
- Look for suspicious content (such as spammy keywords or links).
- Open the table that holds that suspicious content.
- Manually delete it.
- Test the site to confirm it is functioning well after the changes.
- Delete any database access tools you have installed.
Beginners can utilize the payload information provided by the malware scanner. Intermediate users can also manually search for frequent malicious PHP functions.
These will include base64_decode, eval, gzinflate, preg_replace, str_replace, and so on.
How to Scan and Clean the WordPress Database Utilizing a Plugin
Using a plugin is an easy and effective way to detect malicious code, malware, and other security threats.
There are many good plugins available. The following plugin recommendations represent the best.
MalCare WordPress Security
MalCare provides the full package. It removes malware and will also perform daily scans to prevent any future infection.
The scanner is very sensitive and is capable of identifying even the deepest infections. At the same time, it will not report false alarms.
malCure WP Malware Scanner & Firewall
malCure Malware Scanner is one of the latest malware scanners. The interface is user-friendly and simple to use.
It can detect over 50,000 infections. malCure provides a comprehensive search of both the database and WordPress files.
It uses a hybrid technique involving multiple scans of each file and database record. This results in a very thorough cleanse.
All In One WP Security & Firewall
All In One WP Security & Firewall is a very popular plugin. It comes with a WordPress database scanning option.
It searches for suspicious strings in the main table in the database.
WP Changes Tracker
WP Changes Tracker & WP Security Audit Log is a changelog. It detects modifications to the MySQL databases, plugins, and theme files.
It is not a malware scanner but if a database has a malware infection, the changes will appear here. This helps users to establish what was infected and how it occurred.
Based on this information, they can then prop up any vulnerable spots.
It is also useful for tracking the changes you and your staff make.
Ending thoughts on ways to scan a WordPress database for malware
Malware infection on a website or in a database could serve as a wake-up. Users may realize that they need to take better care of security.
It is essential to perform regular scans to find and get rid of any potential threats. The longer malware exists in the database, the more harm it can cause, not only to the website but also to site visitors.
The guidance in this article will help you to identify and remove malware from the WordPress database.
Regardless of the method chosen, always proceed with care.
If you enjoyed reading this article about how to scan the WordPress database for malware, you should read this one on doing a WordPress database reset.
We also wrote about a few related subjects like the WordPress database schema, doing a WordPress database cleanup, WordPress database plugins, or how to find and replace an URL in a WordPress database.