How to Scan and Clean Your WordPress Database for Hidden Malware

You have scanned your files. You have replaced your core folders. You have deleted the suspicious plugins. Yet, your WordPress site is still redirecting to spam or showing malicious popups.

If this sounds familiar, you likely have database malware.

While most security guides focus on cleaning files (like .php or .js scripts), hackers often inject malicious code directly into your WordPress database to ensure the infection survives even after you delete the bad files.

In this guide, we will show you how to find and remove malicious injections from your database tables like wp_options, wp_posts, and wp_users.

Why Database Malware is So Dangerous

File-based malware is relatively easy to spot—it looks like a strange file in a folder where it doesn’t belong. Database malware is harder to detect because it hides inside legitimate content.

Hackers use the database to:

• Create “Ghost” Admin Accounts: So they can log back in even if you change your password.
• Inject Spam Links: Hiding spam keywords inside thousands of existing posts/pages.
• Trigger Redirects: Modifying the siteurl or home values in wp_options to send your traffic elsewhere.
• Persist Malicious Code: Storing code (like base64_decode) that gets executed when a page loads.

Step 0: BACK UP YOUR DATABASE

Warning: This is the most critical step. Unlike editing a file, there is no “Undo” button when you run a SQL command or delete a database row. If you make a mistake, you can break your entire site.

Before proceeding, open phpMyAdmin or use a backup plugin to export a full .sql copy of your database.

Step 1: Find and Remove “Ghost” Admin Users

The first thing a smart hacker does is create a backdoor administrative account. They often name these users support, admin01, or even wp-security to look legitimate.

1. Log in to your hosting control panel and open phpMyAdmin.
2. Select your WordPress database.
3. Click on the wp_users table (your prefix might be different, e.g., wp_xyz_users).
4. Look for suspicious entries:
   • Do you recognize every email address listed?
   • Are there users you didn’t create?
5. Action: If you find an unknown user, delete the row immediately.

Step 2: Check the wp_options Table for Redirects

The wp_options table contains critical site settings. Hackers love this table because they can inject JavaScript here that loads on every page of your site.

1. In phpMyAdmin, click on the wp_options table.
2. Check the “siteurl” and “home” rows: Ensure these URLs match your actual website domain. If they point to a strange domain, your site is being hijacked.
3. Search for suspicious autoload data: Hackers often hide malicious code in the option_value column for rows that are set to autoload=yes.
4. Action: You can run a SQL search to find suspicious scripts (see Step 3 below).

Step 3: Run SQL Queries to Find Malicious Code

You cannot manually read every single row in your database. Instead, use the Search tab in phpMyAdmin to find common malware signatures.

Here are the most common terms to search for inside your database:

• base64_decode (Often used to hide malicious PHP execution)
• eval( (Used to execute PHP code)
• <script> (Used for JavaScript redirects)
• iframe (Used to load external spam content)
• display:none (Used to hide spam links from humans while showing them to Google)

How to Search:

1. Click the Search tab in phpMyAdmin.
2. Words or values to search for: Enter one of the terms above (e.g., <script>).
3. Inside tables: Select “Select all” to search the whole database.
4. Go: Review the results.

Note: Be careful! Legitimate plugins also use base64_decode or <script>. Context is key. If you see a script tag linking to a Russian (.ru) or unknown domain inside your wp_posts table, it is likely malware. If you see it inside a legitimate plugin’s settings, it might be safe.

Step 4: Clean the wp_posts Table (Spam Injections)

If your site has the “Japanese Keyword Hack” or “Pharma Hack,” the spam content is usually stored in the wp_posts table. Hackers inject spam links into thousands of your existing posts.

To see if you are infected, you can run this SQL query in the SQL tab:

SELECT * FROM wp_posts WHERE post_content LIKE '%<script src=%';

If this returns hundreds of posts containing strange JavaScript sources you didn’t add, your posts have been compromised.

The Fix:

For massive infections (e.g., 5,000 infected posts), manual editing is impossible. You may need to use a “Search and Replace” query to strip the specific malicious string.

Recommendation: Use a plugin like Better Search Replace to safely find the malicious string and replace it with nothing (empty). Always test this on a backup first.

Summary: Don’t Forget the Database

Cleaning the files is only half the battle. If you leave a “Ghost Admin” in wp_users or a redirect script in wp_options, the hackers will walk right back in.

Your Cleanup Checklist:

• [ ] Backup the database.
• [ ] Delete unknown users from wp_users.
• [ ] Verify siteurl and home in wp_options.
• [ ] Search for base64, eval, and <script> tags.
• [ ] Change your database password after cleaning.