How To Remove WordPress Database Malware
While not one of the most common hacks, a WordPress Database hack we see in about 10-20% of Malware cleans we do.
A Database hack generally happens when a plugin or theme is vulnerable to SQL injection and is exploited.
Cleaning up a hidden DIV injection can be a pain depending on how many posts you have since, generally the content is injected randomly and needs some care in removing (though we have developed a DB clean script to automate this process for customers).
Step 1: First you need to identify the code that is being injected. This is easily done with a Website Malware Scan
Step 2: Login to your hosting control panel, find PHPMyAdmin and click on it.
Step 3: Export your Database so you have a backup if anything goes wrong. Check the “save as file” option and save it to your PC.
Step 4: With the snippet you got in step 1 create the following SQL Replace statement replacing BADCODESNIPPET with the snippet
UPDATE wp_posts SET post_content = REPLACE(post_content, 'BADCODESNIPPET', '') WHERE post_content LIKE ('BADCODESNIPPET');
This assumes your database is setup with the default wp_ prefix in your database. (90% of the time it is).
If it is not, you will need to replace the wp_posts with the correct prefix your DB is using.
Once you have removed the bad code, make sure you clean your WordPress Cache if you are using any caching plugin such as Total Cache or Super Cache as the pages generated before removing the code will still have the injection in it until the cache is re-created.
Be sure to update your themes and plugins when you are done as well or the re-injection may continue to happen.