If your WordPress site behaves strangely, shows spam content, or redirects users, it may be compromised. One of the most effective ways to investigate is by scanning your database for suspicious entries.
This guide provides useful SQL queries to help identify potential malware, spam injections, and unauthorized users.
Important: Always take a full database backup before running any queries.
Note: Replace wp_ with your actual database prefix if it’s different.
1. Check for Malicious Code in Options Table
Scan for commonly used malicious functions like base64_decode, eval, and others.
SELECT option_id, option_name, option_value
FROM wp_options
WHERE option_value LIKE '%base64_decode%'
OR option_value LIKE '%eval(%'
OR option_value LIKE '%gzinflate%'
OR option_value LIKE '%str_rot13%'
OR option_value LIKE '%shell_exec%'
OR option_value LIKE '%wp_performance%'
OR option_value LIKE '%cloudflare_verify%';
2. Detect Injected Scripts (XSS / SEO Spam)
Find posts containing suspicious scripts or injected HTML.
SELECT ID, post_title
FROM wp_posts
WHERE post_content LIKE '%<script%'
OR post_content LIKE '%iframe%'
OR post_content LIKE '%onerror=%'
OR post_content LIKE '%onload=%';3. Find Hidden Spam Links
Attackers often hide links using CSS tricks.
SELECT ID, post_title
FROM wp_posts
WHERE post_content LIKE '%display:none%'
OR post_content LIKE '%visibility:hidden%'
OR post_content LIKE '%position:absolute%';4. Check Autoloaded Options (Performance + Security)
Large autoloaded data may indicate hidden payloads or performance issues.
SELECT option_name, LENGTH(option_value) as size
FROM wp_options
WHERE autoload = 'yes'
ORDER BY size DESC
LIMIT 50;5. Review Suspicious Cron Jobs
Malware can hide inside scheduled tasks.
SELECT option_name, option_value
FROM wp_options
WHERE option_name = 'cron';6. Search for Large Encoded Payloads
Very large option values may contain encoded malicious scripts.
SELECT option_name
FROM wp_options
WHERE LENGTH(option_value) > 5000;7. Check Users for Backdoor Admin Accounts
Review all users:
SELECT ID, user_login, user_email, user_registered
FROM wp_users;Check user roles:
SELECT *
FROM wp_usermeta
WHERE meta_key = 'wp_capabilities';Find administrator accounts:
SELECT u.ID, u.user_login, u.user_email, m.meta_value
FROM wp_users u
JOIN wp_usermeta m ON u.ID = m.user_id
WHERE m.meta_key = 'wp_capabilities'
AND m.meta_value LIKE '%administrator%';Conclusion
These SQL checks help you quickly identify suspicious activity inside your WordPress database. While they don’t replace a full security audit, they are extremely useful for:
- Detecting malware injections
- Finding hidden spam content
- Identifying unauthorized users
- Improving overall site security
Tip: If you find suspicious entries, investigate carefully before deleting anything. When in doubt, consult a security expert or use a trusted malware removal service.