What this problem is
Your database contains injected spam links, scripts, or suspicious admin accounts, suggesting an SQL injection or compromised credentials.
Why it happens
- Vulnerable plugin/theme endpoint
- Outdated WordPress core
- Leaked database credentials
Prerequisites
- Full database backup (before changes)
- phpMyAdmin access and file access
Diagnosis
Identify where the injected content is stored: posts, options, users, or custom tables. Look for suspicious domains and script tags.
Detailed steps
Step 1) Contain and patch
Update core/plugins/themes and disable the suspected vulnerable plugin immediately.
Step 2) Remove malicious users and reset passwords
Delete unknown admin users and reset all admin passwords.
Step 3) Clean injected content
Remove malicious scripts/links from affected records. If widespread, restore from a clean backup and re-apply legitimate content changes.
Step 4) Rotate secrets
Change DB credentials and regenerate SALT keys.
Expected results
- Database content is clean and the injection vector is closed
What to do if it fails
- Engage professional incident response and ask hosting to review server logs and WAF events
Best practices
- Keep updates current, use a WAF, and restrict database access