We will explain how to batch delete malformed JS that infected the database in WordPress.

Malicious code infecting the database

We may find JAVASCRIPT code that infects databases, such as plug-ins that can detect database malware.

In many cases, these malicious Javascripts are embedded in thousands of posts, and it is difficult to remove them one by one by hand. In this case, you can use a plugin to remove them one by one with regular expressions.

Bulk removal by pattern matching with regular expressions

A regular expression is a method to search for strings in a more meta way. For example, the following regular expression can match a string of 10 or more numbers.

/[0-9]{10,}/

If you create a regular expression that matches and replaces the aforementioned illegal JAVASCRIPT, and execute the regular expression on all posts, it is possible to remove the illegal JAVASCRIPT at once.

If you observe the malformed code carefully, you will see that it starts with  <script>$mWn= and ends with </script> without < in between.

This regular expression can be expressed as follows

/<script>$mWn=[^<]*<\/script>/

The $ and / are backslash escapes because they are meaningful expressions in the regular expression.
The [^<]* means as long as the string is followed by a string that is not  <.

*It is possible to create regular expressions by experimenting with them at this site. You can see that it matches within the correct range.

Regular expressions to remove malformed JS infecting WordPress databases

Next, we will use regular expressions to remove the malformed JS embedded in posts and other content.
If this removal process fails, important database information may be lost, so we recommend that you make a backup of your database before removal.

1 Install the Search Regex plugin that allows you to replace the database with regular expressions.

2 Go to Tools→Search Regex and perform the replacement process using regular expressions.
First, configure the regular expression as shown in the figure below, and check that it matches the invalid code properly as no operation.

Next, set the operation to replace the entire string, add a single space character to the replacement string, and execute the replacement.

This completes the bulk removal of the invalid JS.

Please note that removing malware from the database alone may not solve the problem!

The fact that malware has been embedded in the database means that hackers have already obtained the database search permissions through some vulnerability, and it is highly likely that other malware programs have been installed on the server.

It will be necessary to inspect for other malware and close the vulnerabilities that allowed the hacker to enter the database.

Terms of Use for Generated AI

This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.

Related Posts:

  1. How to find JAVASCRIPT Injection in WordPress
    If your WordPress site has been hacked and you think you have removed the tampering, but the site still redirects (forcibly) to another site, the malformed JAVASCRIPT code may still be there somewhere. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However,...
  2. Can the WordPress database be tampered with or infected by malware?
    Most WordPress malware and tampering is done to program files, and only rarely is the database tampered with. However, when a database tampering vulnerability is found in a very popular plugin, database tampering (known as SQL injection) hacking can become an epidemic. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in...
  3. What to do if a large amount of malware (malformed JAVASCRIPT) is embedded in a WordPress post
    If you have been infected with a type of WordPress malware that embeds malformed JAVASCRIPT code (which causes malformed redirects and other behavior) in a large number of posts, we will explain how to remove this code. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by...
  4. Example of database tampering with a redirect hack that causes a site to jump to another site
    Redirect hacks that cause a site to jump to another site (often a malicious software download, a fake e-commerce site, or a site that makes you click on a robot authentication) are not only tampering with files, but also getting into the database. Here are some examples of database malware tampering and how to deal with them. Terms of Use...
  5. Example of malformed JAVASCRIPT embedded in all WordPress posts
    There have been an increasing number of cases of malicious JAVASCRIPT being embedded in all WordPress posts. Here is how to deal with this malware. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification...
  6. If WordPress may be infected with malware (virus or tampering), use the plugin for quick malware inspection and removal.
    When WordPress may be infected with malware (virus or tampering), you can easily use a plugin to inspect and remove malware. The following is a list of the main types of malware behavior on websites and malware scanning and disinfection plug-ins. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole...