How to Scan The WordPress Database For Malware

Malware? A website owner’s worse nightmare. In this article, we’ll show you how you can scan the WordPress database for malware and get rid of it.

For a website infected by malware, site owners must remove all malware from the site code and files. However, they may still notice malware behavior on their website.

This may be because the malware also infected the database. This is quite common but there is a way to recuperate the infected WordPress database.

To do this, users need to scan and clean the database right away. There are two possible methods – to scan and clean the database manually or to use a plugin.

This article outlines the process of scanning a WordPress database manually and with a plugin.

Hacked Database – How Does It Happen?

Malware gets into a database via injection codes in the WordPress files. If these files aren’t cleaned first, the code will re-insert its malware into the database.

File or database injection is the insertion of code into system files or the database. This code enables access for hackers.

Database injections are quite dangerous. The text used in different records can be reconstructed into malicious commands using a simple query.

WordPress utilizes a single MySQL database. This contains all the information and settings required for website administration.

That makes the database an easy target and the injections a common threat.

Before scanning the database, make sure to:

Scan all WordPress files and remove all malware.

Back up the database and files. If the web host doesn’t have any back-ups, download the content of the file server and database to a local environment.

Having done this, it’s now possible to scan the WordPress database for malware. Keep reading to find out how to do it.

How to Scan and Clean the WordPress Database Manually

Performing a manual scan and clean takes a lot of time. There is also the possibility of missing some hidden malware.

Any mistakes, like removing a wrong table or deleting a clean part of the code, may result in a broken website.

There are two frequent indicators of malware: Malicious PHP Functions and Unknown Links or iFrames. Set out below is how to find them manually.

Malicious PHP Functions

There are several PHP functions and commands that hackers like to use. They are not malicious in themselves and it is possible to utilize them in an ethical way.

However, if there are any present, the database is likely infected.

To identify database infection look for codes that are potentially malicious. These include base64_decode, gzinflate, error_reporting(0), and shell_exec.

Keep in mind though, that such codes are not malicious in all instances. Some programmers utilize these codes to implement some legitimate functions.

Unknown Links or iFrames

Going through the content of the website will help to discern what other items to look for. An infected site will often also have malicious iFrames and redirect links.

Hackers inject unknown links and iFrames into the site and camouflage them. So it’s necessary to examine the site code to pick them out.

One way to do that is to display and review the codes using a tool called Online cURL. Look for any undesired codes or iffy text such as a name of a pharmaceutical drug.

Hey, did you know data can be beautiful too?

wpDataTables can make it that way. There’s a good reason why it’s the #1 WordPress plugin for creating responsive tables and charts.

An actual example of wpDataTables in the wild

And it’s really easy to do something like this:

You provide the table data
Configure and customize it
Publish it in a post or page

And it’s not just pretty, but also practical. You can make large tables with up to millions of rows, or you can use advanced filters and search, or you can go wild and make it editable.

“Yeah, but I just like Excel too much and there’s nothing like that on websites”. Yeah, there is. You can use conditional formatting like in Excel or Google Sheets.

Did I tell you you can create charts too with your data? And that’s only a small part. There are lots of other features for you.

Step 1: Export the Database SQL

To search through the database, first, export it as text. This is possible via the database tool provided by the web host.

The explanation below details how to do this using phpMyAdmin.

PhpMyAdmin enables users to manage their database. It is usually installed in most hosting environments.

Use an export option in the phpMyAdmin panel to export the whole database. Save it to the “backup-pre-cleanup” folder.

First, log in to the cPanel dashboard, scroll to the “Databases” section and click on phpMyAdmin. Next, choose the database from the list on the left-hand side.

Then, click on “Export” in the menu on top. The export method should be set to “Quick” and the format to “SQL”.

Click on “Go” and it’s done.

Another way to export the database is via SSH using this command:

mysqldump -p -h hostname -u username database > backup-pre-cleanup.sql

Input your database information in place of the hostname, username, and database. The database credentials are available from wp-config.php.

Note: After exporting the database using SSH, remember to download it to the local environment and delete it from the file server.

Finally, open it in a notepad and look for the malicious parts of the code.

Step 2: Search the Database Export

Start by looking through the exported SQL file for known exploitable PHP functions.

A cURL code review may have revealed suspicious links, iFrames, or text. If so, then also search for these in the database SQL report.

If any of them appear in the database, this indicates a probable malware infection.

It’s also possible to use Sublime to open the .SQL file directly. Then, using Ctrl+f, look for malicious content within the database.

Use the following commands:

For iFrames: <iframe
For base64: base64_decode
For eval(): eval()
For scripts: <script

Step 3: Clean Up the Database

After detecting a database infection, it is vital to perform a clean-up. The best technique is to restore the database to a time prior to the infection.

This is very straightforward for users who schedule automatic back-ups. Otherwise, it will be necessary to contact the web host for assistance.

Another method is to search for the malicious links, iFrames, or functions and remove them manually from the WordPress files. This requires a measure of advanced knowledge.

Follow the steps below to accomplish this task.

Sign in to the database admin panel.
Perform a backup of the database.
Look for suspicious content (such as spammy keywords or links).
Open the table that holds that suspicious content.
Manually delete it.
Test the site to confirm it is functioning well after the changes.
Delete any database access tools you have installed.

Beginners can utilize the payload information provided by the malware scanner. Intermediate users can also manually search for frequent malicious PHP functions.

These will include base64_decode, eval, gzinflate, preg_replace, str_replace, and so on.

How to Scan and Clean the WordPress Database Utilizing a Plugin

Using a plugin is an easy and effective way to detect malicious code, malware, and other security threats.

There are many good plugins available. The following plugin recommendations represent the best.

MalCare WordPress Security

MalCare provides the full package. It removes malware and will also perform daily scans to prevent any future infection.

The scanner is very sensitive and is capable of identifying even the deepest infections. At the same time, it will not report false alarms.

malCure WP Malware Scanner & Firewall

malCure Malware Scanner is one of the latest malware scanners. The interface is user-friendly and simple to use.

It can detect over 50,000 infections. malCure provides a comprehensive search of both the database and WordPress files.

It uses a hybrid technique involving multiple scans of each file and database record. This results in a very thorough cleanse.

All In One WP Security & Firewall

All In One WP Security & Firewall is a very popular plugin. It comes with a WordPress database scanning option.

It searches for suspicious strings in the main table in the database.

WP Changes Tracker

WP Changes Tracker & WP Security Audit Log is a changelog. It detects modifications to the MySQL databases, plugins, and theme files.

It is not a malware scanner but if a database has a malware infection, the changes will appear here. This helps users to establish what was infected and how it occurred.

Based on this information, they can then prop up any vulnerable spots.

It is also useful for tracking the changes you and your staff make.

Ending thoughts on ways to scan a WordPress database for malware

Malware infection on a website or in a database could serve as a wake-up. Users may realize that they need to take better care of security.

It is essential to perform regular scans to find and get rid of any potential threats. The longer malware exists in the database, the more harm it can cause, not only to the website but also to site visitors.

The guidance in this article will help you to identify and remove malware from the WordPress database.

Regardless of the method chosen, always proceed with care.

If you enjoyed reading this article on how to scan WordPress database for malware, you should check out this one about how to do a WordPress database reset.

We also wrote about a few related subjects like how to do a WordPress database cleanup, WordPress database schema and how to find and replace url in WordPress database.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.

Cookie	Duration	Description
CONSENT	16 years 2 months 19 days 14 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-47773209-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.

Cookie	Duration	Description
paddle_session	2 hours	No description available.
prism_610072376	1 month	No description available.