We’ll explain typical patterns of malicious code embedded in WordPress’s `wp_posts` and `wp_options` tables as a result of malware infection, as well as how to distinguish it from legitimate code.

Malware Infection and Tampering of the WordPress Database

In the event of a malware infection, it is rare for the WordPress database—including tables such as `wp_posts` and `wp_options`—to be tampered with.However, when a vulnerability that allows database tampering is discovered in a popular plugin or similar software, hackers often exploit that vulnerability en masse, leading to a surge in database tampering across numerous websites.

How to Detect and Remove a Database Infection?

Unless there is a plugin that executes PHP, almost none of the content stored in the WordPress database can be executed as a program.

For this reason, even when hackers tamper with the database to embed malicious code, it is typically not server-side executable code but rather JavaScript script code that runs primarily in the browser.

Here’s how you can detect this tampering to some extent using a database connection tool.

1. Connect to the database using Adminer
Upload the database connection tool called Adminer to the server and connect to the WordPress database using the database connection information listed in wp-config.php.

2. Search the database for strings characteristic of malware
Next, search the database for portions of strings characteristic of malware.

The following examples show code commonly used by malware. Search for these code snippets to check whether any malware is present in the database.

<script
atob(
eval(
fromCharCode(

etc.

Please note that not everything that matches this code search is necessarily malicious code.

* You can easily check for malicious code like the examples above using the [Free] WordPress: Malware Scan & Security Plugin [Malware & Virus Detection and Removal].

3. Check for Malicious Code and Remove It
You need to determine whether the code found during the scan is malicious JavaScript.
Generally, malicious code is characterized by long strings of random letters and numbers crammed into a single line.
Since it has the potential to corrupt database data, you must remove it with caution!

If the code is malicious, you must carefully remove only that specific section.
However, since a single instance of malware code can infect a vast number of records, it may be difficult to remove it manually. In such cases, you may need to use database replacement software to remove it.

Additionally, databases may contain records in a format known as “serialized data,” where the number of characters in the string must match exactly or the data will be corrupted. If such data contains malicious code, the process can be particularly challenging—for example, you may need to reduce the character count by the number of characters removed.

Example of serialized data (parts like “s:31” indicate the number of characters in the text)

a:6:{i:0;s:31:"query-monitor/query-monitor.php";i:1;s:57:"accesspress-instagram-feed/accesspress-instagram-feed.php";i:2;s:19:"easy-captcha/easy-captcha.php";i:3;s:43:"google-analytics-dashboard-for-wp/gadwp.php";i:4;s:33:"instagram-feed/instagram-feed.php";i:5;s:19:""really-simple-captcha/really-simple-captcha.php";}
Terms of Use for Generated AI

This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.