How to scan a WordPress database for malware
Website owners pay great attention to databases and their protection, as they contain all the basic data of the site, including full customer data and financial details of the site. They also play an important role in determining site performance and stability.
If the site has recently been exposed to malware, or unusual activity is observed, it may be the result of the databases being hacked/malicious files. Therefore, it is advisable to check databases and delete malicious code, whether manually or using specialized protection tools, and in this article, we will explain the two methods in detail.
How can a WordPress database be hacked?
WordPress databases are hacked using several basic methods, which are as follows:
1- Database Injection - SQL Injection
WordPress sites provide users with a variety of data entry fields, such as post comment fields, filling out questionnaires, contact forms, and more. This data is stored in site databases.
Not securing and programming data fields efficiently can pose a security risk. For example, if data is not validated to reject numbers in fields that aren't assigned to them, to check the format of email, or to prevent external links from being inserted into text fields, attackers could exploit these vulnerabilities to enter code Harmful in text fields. databases, exposing them to the risk of hacking.
2. Brute Force Attacks
Brute force attacks refer to the strategy that hackers rely on to guess the username and password used to access the main control panel. These attacks are carried out through millions of automated attempts.
When the username and password are guessed correctly, the attacker gains access to the main control panel, thus accessing the databases. Therefore, it is always preferable to use relatively complex usernames and passwords, which include a set of unexpected codes, to make the guesswork process very difficult.
3- Do not update plugins and templates
The weaknesses of WordPress sites are often represented in plugins and templates, especially since WordPress is an open source platform with several plugins and templates, whether through the internal or external store, and they are uploaded without review on the platform.
As a result, plugins and themes can be poorly programmed in terms of security, causing hackers to look for vulnerabilities in order to exploit them to hack WordPress sites. Through this hack, databases can be accessed.
Developers always provide updates for plugins and themes to enhance security and patch any vulnerabilities. So you should always consider updating plugins and templates to the latest versions, and getting them from the official source to ensure you get safe and reliable versions.
The same applies to updating the WordPress system itself to the latest version, where all vulnerabilities in older versions are closed and improved.
For example, the Ninja Form add-on previously included a vulnerability exploited by hackers, based on a report published by the WP Hack Help site, where an existing connection model was replaced by another malicious connection model, which helped to introduce malicious SQL files into databases, but the vulnerability in updates was improved. The same applies to the Convert Plus add-on as well.
4- Use FTP connection to transfer data
Hosting companies provide several ways to connect to the server, the most important of which are FTP connection, SSH connection, or SFTP connection. If you rely on an FTP connection, the server data using the username and password will be transferred over an unencrypted connection.
Therefore, hackers may exploit your connection to the server via File Transfer Protocol (FTP), allowing them to spy on server data and steal information. With this data, they can have full control over the server. Therefore, you should always be careful when connecting to the server and transferring files, preferably relying on an SSH connection or an encrypted SFTP connection, as SSH and SFTP connectivity provide an additional layer of security by encrypting data during transit, making it difficult for attackers to use the data in unauthorized ways. Authorized.
Check WordPress databases
First, you should thoroughly scan your site files for malicious files and clean the site from all harmful influences, because malicious files can move back from site files to databases after cleaning them.
You should also take a backup copy of WordPress databases and site files before checking or modifying the databases, so that you can return to them in case of an error in dealing with the databases.
Inspect WordPress databases manually
1- Export WordPress databases
Hackers rely on some custom PHP functions and commands for WordPress to access databases. It is therefore preferable to search within databases for the most common of these commands. If these commands are located within databases, this is a significant indication of a database breach. You can also look for external links or iFrames that appear within the site as an additional sign of a possible hack.
You must first export your WordPress database as a text file to enable search within it. You can do this by logging into the main hosting control panel, then heading to Databases. The method varies a bit depending on the hosting company, but in general you can find an option to export the database as a text file, and then choose the database for your WordPress site from the side menu:
Then choose Export from the top menu, then choose Quick Export Method from the Export Method option, then choose SQL Format from the Format option Then click on Export as shown in the following screenshot:
WordPress databases will now load, and you will open the file with Notepad to search for inappropriate functions and commands.
You start by looking for the most important PHP functions and commands that hackers rely on. The most important of these functions are the following:
- base64_decode : The base64_decode command is used to decrypt data encrypted using base64 encryption. WordPress is an open-source system that is not encrypted, so databases should not contain a base64_decode command. If found, it indicates that an encrypted file is being processed with this command, so you search for a command. command "base64_decode(") or "base64_decode(").
- gzinflate : The gzinflate command is used to decompress encrypted files also based on special code. Also, the WordPress system should not contain encrypted files, so you search for the "gzinflate(" command or the "gzinflate(") command.
- eval : The eval command is used to handle a custom command as valid even if it is illegal or illegal. Programmers do not prefer to rely on this command completely, if this command is found, it may indicate the presence of a malicious file classified as a valid file, so you search for the "eval" command. ("" or "Evaluation (") command
- error_reporting(0): The error_reporting(0) command is used to hide code errors, so the system error reports are incorrect, which helps hackers hide the results of malicious files, so you should look for the command "error_reporting(0)" or "error_report_report(0)"
- shell_exec : The shell_exec command is used to execute a command at the level of the entire server, and this is the primary goal of the hackers, so you search for the command "shell_exec(" or the command "shell_exec(")
- globals : All globals commands pose a security risk in the PHP system and may be used to hack the site. Therefore, they have been removed from all PHP versions since PHP 4.2. So you should look for globals commands, select the plugins that rely on them, and then completely remove them from the WordPress system.
There are many other PHP functions and commands that hackers rely on, but the previous list is the most commonly used. It is worth noting that the presence of these functions does not always indicate a breakthrough, but programmers can rely on them to implement certain functions, so you must study the matter carefully before dealing. With.
3- Search for unknown links or iframes
Attackers embed external conversion links or iframes in WordPress, trying to hide them to avoid being discovered by site owners. Therefore, you should search the database for functions related to the iframe, and review all the results related to the site to make sure if they are really related to the site or if there are results that indicate unfamiliar and inappropriate links to the content of the site.
In the same way, you search for external links if they appear on the pages of your site, or redirect your site to them, in order to determine the source of those links. You can also scan your site's code for unknown links or iframes.
It may require some programming experience in dealing with databases, and determining whether the commands are used normally or if they are harmful to the site.
Atabasa
If you find matches for inappropriate PHP functions and commands in WordPress databases while searching, or unknown links or iframes, this is a big indication that there are malicious files in your databases, and you need to clean them up.
You can clean WordPress databases manually, but you need to be careful and have some technical expertise, as handling databases requires accuracy and attention to detail. Incorrect manipulation of data may lead to some problems with the site, causing it to crash or stop working completely, or even stop the site suddenly.
So, if you had a previous backup of databases before the hack, you can rely on it, but if you don't have a backup, or it's not up to date, you can look for inappropriate commands and remove them manually.
Thus, you enter the WordPress databases again, and then choose Search from the top menu, as shown in the following image:
After that you set the following options:
- Writing inappropriate PHP functions, commands or links in databases.
- Select at least one word option from the Search tab .
- Select all database tables from the Inside Tables tab , by clicking Select All .
After that, you press Go as shown in the following image:
You will now see matching results in all database tables. You select the matching results, then press Delete directly to delete, or browse to preview and examine the result before canceling, as shown in the following image:
Now repeat the previous step for all the results you got from scanning databases, and gradually remove the files.
Scan and clean WordPress databases with security plugins
Another solution to cleaning WordPress databases is to rely on WordPress protection plugins, especially since they do not require technical expertise as in the manual method, but they may require an additional cost to remove malicious files.
There are multiple protection options for WordPress, and they differ in terms of how they handle databases. The best of these options are:
- Malker.
- All-in-one WP Security and Firewall.
- Wardvins.
- Juices
1- MalCare : The MalCare extension helps you scan your entire site files, as well as databases, for malicious files or code, thus ensuring that malicious files are not moved from site files to databases again. When the MalCare plugin scans your site's databases, it will only provide you with a report on the number of malicious files, but you won't be able to view the location or details of malicious files or use their automatic scanning tool unless you upgrade to the paid plan.
2- All-in-one WP Security : The extension helps you all-in-one WP Security Many protection tools scan site files and databases by relying on the DB Scanner tool to search for malicious files or code, in order to prevent malicious files from being transferred from site files to databases again. It also provides you with the DB Backup tool to automatically save a backup of databases, as well as the DB Prefix tool to change the prefix of database tables, thus reducing the risk of SQL file injection, the main reason for database penetration.
3- Wordfence : WordFence add-on helps as it scans site files and databases to detect any security threats or malicious files automatically, while providing a firewall that prevents SQL injection attacks and hacking attempts, and responds to Brute Force attacks. Through the Wordfence Care service, the necessary support and services are provided by the Wordfence team to manually clean up databases after they are hacked.
4- Sucuri : The Sucuri plugin helps protect WordPress sites from security threats and hacking. The add-on automatically scans site files and databases for malicious files or security threats in the entire system. In addition, Sucuri provides an advanced firewall that helps prevent SQL insertion into databases, Brute Force attacks, and file insertion on the server through RFI communication services.
Conclusion
If your site's databases are hacked or SQL files are injected, you may not notice the effect quickly or the hacker may hide all traces of the hack, but the result can quickly appear in search engine results.
Therefore, you should periodically scan your site's databases for malicious files or code, and the previous steps will be enough to scan databases based on the most important PHP functions and commands common among hackers.
If you don't have the technical expertise, you can rely on security plugins to automatically scan and clean WordPress databases, but this will definitely come at an additional financial cost.
Databases must also be secured by changing database table prefixes to avoid SQL file injection, and relying on a strong firewall to counter Brute Force attacks, taking into account maintaining a periodic backup of databases, in addition to relying on reliable add-ons. Plugins and updated periodically to the latest version of them. This is to avoid database breaches in the first place.
Join the Arab WordPress community, the largest Arab community to support WordPress users. Through the community you will get the necessary help in creating your WordPress site or customizing your store on WooCommerce