How to Scan The WordPress Database For Malware

How to Scan The WordPress Database For Malware

Malware? A website owner’s worse nightmare. In this article, we’ll show you how you can scan the WordPress database for malware and get rid of it.

For a website infected by malware, site owners must remove all malware from the site code and files. However, they may still notice malware behavior on their website.

This may be because the malware also infected the database. This is quite common but there is a way to recuperate the infected WordPress database.

To do this, users need to scan and clean the database right away. There are two possible methods – to scan and clean the database manually or to use a plugin.

This article outlines the process of scanning a WordPress database manually and with a plugin.

Hacked Database – How Does It Happen?

Malware gets into a database via injection codes in the WordPress files. If these files aren’t cleaned first, the code will re-insert its malware into the database.

File or database injection is the insertion of code into system files or the database. This code enables access for hackers.

Database injections are quite dangerous. The text used in different records can be reconstructed into malicious commands using a simple query.

WordPress utilizes a single MySQL database. This contains all the information and settings required for website administration.

That makes the database an easy target and the injections a common threat.

Before scanning the database, make sure to:

  • Scan all WordPress files and remove all malware.

  • Back up the database and files. If the web host doesn’t have any back-ups, download the content of the file server and database to a local environment.

Having done this, it’s now possible to scan the WordPress database for malware. Keep reading to find out how to do it.

How to Scan and Clean the WordPress Database Manually

Performing a manual scan and clean takes a lot of time. There is also the possibility of missing some hidden malware.

Any mistakes, like removing a wrong table or deleting a clean part of the code, may result in a broken website.

There are two frequent indicators of malware: Malicious PHP Functions and Unknown Links or iFrames. Set out below is how to find them manually.

Malicious PHP Functions

There are several PHP functions and commands that hackers like to use. They are not malicious in themselves and it is possible to utilize them in an ethical way.

However, if there are any present, the database is likely infected.

To identify database infection look for codes that are potentially malicious. These include base64_decode, gzinflate, error_reporting(0), and shell_exec.

Keep in mind though, that such codes are not malicious in all instances. Some programmers utilize these codes to implement some legitimate functions.

Unknown Links or iFrames

Going through the content of the website will help to discern what other items to look for. An infected site will often also have malicious iFrames and redirect links.

Hackers inject unknown links and iFrames into the site and camouflage them. So it’s necessary to examine the site code to pick them out.

One way to do that is to display and review the codes using a tool called Online cURL. Look for any undesired codes or iffy text such as a name of a pharmaceutical drug.

Hey, did you know data can be beautiful too?

wpDataTables can make it that way. There’s a good reason why it’s the #1 WordPress plugin for creating responsive tables and charts.

An actual example of wpDataTables in the wild

And it’s really easy to do something like this:

  1. You provide the table data
  2. Configure and customize it
  3. Publish it in a post or page

And it’s not just pretty, but also practical. You can make large tables with up to millions of rows, or you can use advanced filters and search, or you can go wild and make it editable.

“Yeah, but I just like Excel too much and there’s nothing like that on websites”. Yeah, there is. You can use conditional formatting like in Excel or Google Sheets.

Did I tell you you can create charts too with your data? And that’s only a small part. There are lots of other features for you.

Step 1: Export the Database SQL

To search through the database, first, export it as text. This is possible via the database tool provided by the web host.

The explanation below details how to do this using phpMyAdmin.

PhpMyAdmin enables users to manage their database. It is usually installed in most hosting environments.

Use an export option in the phpMyAdmin panel to export the whole database. Save it to the “backup-pre-cleanup” folder.

First, log in to the cPanel dashboard, scroll to the “Databases” section and click on phpMyAdmin. Next, choose the database from the list on the left-hand side.

Then, click on “Export” in the menu on top. The export method should be set to “Quick” and the format to “SQL”.

Click on “Go” and it’s done.

Another way to export the database is via SSH using this command:

mysqldump -p -h hostname -u username database > backup-pre-cleanup.sql

Input your database information in place of the hostname, username, and database. The database credentials are available from wp-config.php.

Note: After exporting the database using SSH, remember to download it to the local environment and delete it from the file server.

Finally, open it in a notepad and look for the malicious parts of the code.

Step 2: Search the Database Export

Start by looking through the exported SQL file for known exploitable PHP functions.

A cURL code review may have revealed suspicious links, iFrames, or text. If so, then also search for these in the database SQL report.

If any of them appear in the database, this indicates a probable malware infection.

It’s also possible to use Sublime to open the .SQL file directly. Then, using Ctrl+f, look for malicious content within the database.

Use the following commands:

  • For iFrames: <iframe
  • For base64: base64_decode
  • For eval(): eval()
  • For scripts: <script

Step 3: Clean Up the Database

After detecting a database infection, it is vital to perform a clean-up. The best technique is to restore the database to a time prior to the infection.

This is very straightforward for users who schedule automatic back-ups. Otherwise, it will be necessary to contact the web host for assistance.

Another method is to search for the malicious links, iFrames, or functions and remove them manually from the WordPress files. This requires a measure of advanced knowledge.

Follow the steps below to accomplish this task.

  • Sign in to the database admin panel.
  • Perform a backup of the database.
  • Look for suspicious content (such as spammy keywords or links).
  • Open the table that holds that suspicious content.
  • Manually delete it.
  • Test the site to confirm it is functioning well after the changes.
  • Delete any database access tools you have installed.

Beginners can utilize the payload information provided by the malware scanner. Intermediate users can also manually search for frequent malicious PHP functions.

These will include base64_decode, eval, gzinflate, preg_replace, str_replace, and so on.

How to Scan and Clean the WordPress Database Utilizing a Plugin

Using a plugin is an easy and effective way to detect malicious code, malware, and other security threats.

There are many good plugins available. The following plugin recommendations represent the best.

MalCare WordPress Security

MalCare provides the full package. It removes malware and will also perform daily scans to prevent any future infection.

The scanner is very sensitive and is capable of identifying even the deepest infections. At the same time, it will not report false alarms.

malCure WP Malware Scanner & Firewall

malCure Malware Scanner is one of the latest malware scanners. The interface is user-friendly and simple to use.

It can detect over 50,000 infections. malCure provides a comprehensive search of both the database and WordPress files.

It uses a hybrid technique involving multiple scans of each file and database record. This results in a very thorough cleanse.

All In One WP Security & Firewall

All In One WP Security & Firewall is a very popular plugin. It comes with a WordPress database scanning option.

It searches for suspicious strings in the main table in the database.

WP Changes Tracker

WP Changes Tracker & WP Security Audit Log is a changelog. It detects modifications to the MySQL databases, plugins, and theme files.

It is not a malware scanner but if a database has a malware infection, the changes will appear here. This helps users to establish what was infected and how it occurred.

Based on this information, they can then prop up any vulnerable spots.

It is also useful for tracking the changes you and your staff make.

Ending thoughts on ways to scan a WordPress database for malware

Malware infection on a website or in a database could serve as a wake-up. Users may realize that they need to take better care of security.

It is essential to perform regular scans to find and get rid of any potential threats. The longer malware exists in the database, the more harm it can cause, not only to the website but also to site visitors.

The guidance in this article will help you to identify and remove malware from the WordPress database.

Regardless of the method chosen, always proceed with care.

If you enjoyed reading this article on how to scan WordPress database for malware, you should check out this one about how to do a WordPress database reset.

We also wrote about a few related subjects like how to do a WordPress database cleanup, WordPress database schema and how to find and replace url in WordPress database.

Up Next:

How To Find And Replace an URL Or Text In A WordPress Database

How To Find And Replace an URL Or Text In A WordPress Database