Most WordPress malware and tampering is done to program files, and only rarely is the database tampered with. However, when a database tampering vulnerability is found in a very popular plugin, database tampering (known as SQL injection) hacking can become an epidemic.


How can WordPress databases be tampered with or embedded with malware?

If there is no malware or tampering in the WordPress files, but the site is redirected to another site, links are rewritten, or other symptoms are not corrected, database data tampering is suspected.

Malware written to the WordPress database is most often JAVASCRIPT, a script that is executed by the browser, and the content often has several characteristics.

The tampering with the database can be written as a vulnerable plugin setting that is executed on every page load, or embedded in a WordPress post to force users viewing the site to redirect and skip to another site, or other malicious behavior. Most of them.

1 String.fromCharCode()

This JS process is very commonly used in malware to obfuscate and execute programs that hackers want to hide.

2 <script>

This tag is an embedded JAVASCRIPT tag. WordPress does not generally use JAVASCRIPT for posts or fixed pages, so the presence of this tag indicates that some malicious program may have been embedded by SQL injection.

3 _trgfy80yth

3 _trgfy80yth_ Random String It is also common to see JAVASCRIPT programs beginning with _random_ embedded in many submissions. This is also most often a type of tampering called an SEO hack that sends the site to another site.

How to look for and remove database tampering

The above common tampering patterns can be detoxified by searching and replacing them with a plugin called Search Regex.

It is also possible to search and remove more database tampering patterns with the [Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal] created by WordPress Doctor.