Title: Posts have malware links Last modified: September 6, 2017 --- # Posts have malware links * [Popeye1](https://wordpress.org/support/users/popeye1/) * (@popeye1) * [8 years, 8 months ago](https://wordpress.org/support/topic/posts-have-malware-links/) * A friend hasn’t updated their wordpress site, it was hacked and every post points to a malware site. I got in to the admin area. updated everything I could and removed plugins that can’t be updated. Installed wordfence. Wordfence ‘says’: Post contains a suspected malware URL: [post name] Bad url: [http://MalwareSite.life/scripts.js](http://MalwareSite.life/scripts.js) * And there are hundreds of these infected posts. * How do I fix them for him? * Thanks in advance. Steve Viewing 4 replies - 1 through 4 (of 4 total) * Moderator [t-p](https://wordpress.org/support/users/t-p/) * (@t-p) * [8 years, 8 months ago](https://wordpress.org/support/topic/posts-have-malware-links/#post-9474195) * Carefully follow [this guide](https://codex.wordpress.org/FAQ_My_site_was_hacked). When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://codex.wordpress.org/Hardening_WordPress). * [webtrackstudio](https://wordpress.org/support/users/webtrackstudio/) * (@webtrackstudio) * [8 years, 8 months ago](https://wordpress.org/support/topic/posts-have-malware-links/#post-9474628) * Hey there, * If you have database access please download .sql file locally and edit, perform find and replace method. once you finished with that, please again download a fresh copy of database and save some where as backup. After that create new database and import .sql file. once done in wp-config setting change database name. Once done please follow the [recommended security measures](https://codex.wordpress.org/FAQ_My_site_was_hacked). hope this helps * [ProjectArmy](https://wordpress.org/support/users/supporthero/) * (@supporthero) * [8 years, 8 months ago](https://wordpress.org/support/topic/posts-have-malware-links/#post-9474658) * [@webtrackstudio](https://wordpress.org/support/users/webtrackstudio/) * Doing find and replace on an SQL file is very dangerous. It doesn’t take in account serialized data, which WordPress heavily uses. [More on it here](https://wpengine.com/support/wordpress-serialized-data/). * You need to use a search/replace script or plugin that will re-serialize replaced data. Otherwise your database will be scrambled and you will lose data. * I recommend using this script: [https://interconnectit.com/products/search-and-replace-for-wordpress-databases/](https://interconnectit.com/products/search-and-replace-for-wordpress-databases/) * — * [@popeye1](https://wordpress.org/support/users/popeye1/) * Now, about cleaning stuff up. If posts are redirecting to malware site, then most likely it’s a file(s) that’s infected. Here are some steps to try to narrow down the source of infection. * Side note: If you haven’t replaced all core files yet, please do so. Delete “ wp-includes” and “wp-admin” directories, and upload a fresh set. You should also delete all “wp-…php” files in the root directory, **making sure wp-config.php is not deleted**. * Make sure to backup your site and database before proceeding. * 1. First we check your theme files. Simply install a theme from WordPress.org repository, any theme will do. And activate it. This will be temporary. After you activate, clear any caches you might have and check your posts. If you’re being redirected to malware site, your theme most likely is clean. Re-activate your original theme. * If the theme is the source of infection, I would recommend downloading a fresh copy of the theme, deleting infected theme files completely, and uploading a fresh copy. * 2. Now check plugins. Deactivate all plugins, either inside WP admin or by renaming plugins directory to something else. Once they’re all deactivated, check posts again. If redirection is gone, then one of the plugins might be infected. * Now, begin activating plugins one by one, checking posts for redirection. Once malware redirection is back you’ll know exactly what plugin is infected. Delete the files, and re-install that plugin from WordPress.org repository or download it from author’s website (if it’s a premium plugin). * If it’s still doesn’t help solve the issue, try the same approach for “uploads” folder. It’s unlikely the code is there, but as last resort do check it. * If in the end it still there, come back and let me know. We’ll see what else we can do to find it and remove it. * [Andrew Nevins](https://wordpress.org/support/users/anevins/) * (@anevins) * WCLDN 2018 Contributor | Volunteer support * [8 years, 8 months ago](https://wordpress.org/support/topic/posts-have-malware-links/#post-9474814) * Don’t forget about the backdoor! You need to consider whether you’re removing the problem or a symptom of the problem. * The stock answer we give is: You need to start working your way through these resources: - [https://codex.wordpress.org/FAQ_My_site_was_hacked](https://codex.wordpress.org/FAQ_My_site_was_hacked) - [https://wordpress.org/support/topic/268083#post-1065779](https://wordpress.org/support/topic/268083#post-1065779) - [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) - [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) * Additional Resources: - [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) - [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) - [https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html) Viewing 4 replies - 1 through 4 (of 4 total) The topic ‘Posts have malware links’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 4 replies * 5 participants * Last reply from: [Andrew Nevins](https://wordpress.org/support/users/anevins/) * Last activity: [8 years, 8 months ago](https://wordpress.org/support/topic/posts-have-malware-links/#post-9474814) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics