How to Manually Check for Hidden Spam (Before You Had Our Plugin)?

If you suspect your WordPress site has been infected with hidden SEO spam, cloaked redirects, or insidious malware that traditional file scanners keep missing, you’re not alone. These database-resident threats are designed to evade standard checks.

Before specialized tools like Content Guard Pro existed, hunting these down required manual, tedious, and often risky database spelunking. This guide will walk you through the essential manual checks you would need to perform to track down those elusive database injections.

⚠️ Warning: Back Up Your Database First!

NEVER make direct modifications to your database without a recent backup. A simple typo while editing serialized data can corrupt your entire site. Use a reliable backup solution before proceeding.

1. Check the Global Configuration (The wp_options Table)

This table stores all site-wide settings and is often targeted for forcing global redirects, as any code placed here executes across the entire site instantly.

• Access: Use a tool like phpMyAdmin or a database management plugin.

• Look For: Scan the option_value column for suspicious keys, particularly those related to header/footer scripts or tracking codes:

  • Keys like header_code, footer_scripts, or non-standard theme_mods_... entries.

  • Any large, unusually long, or heavily encoded values (e.g., strings containing multiple instances of base64_decode, eval, or external URLs).

• The Goal: Find injected <script> tags, especially those containing off-site URLs or code designed to check the user agent (a common cloaking technique).

2. Audit Custom Fields (The wp_postmeta Table)

This table is enormous, storing all page builder data, SEO meta, and custom fields. It’s the most time-consuming spot to check.

• Access: Use phpMyAdmin and filter the table.

• Look For: Focus your search on keys known to store content that is displayed or executed:

  • SEO Plugin Keys: Search for values in keys like _yoast_wpseo_metadesc or similar fields. Look for hidden, unescaped HTML links.

  • Page Builder Data: Keys often contain _elementor_data or _fl_builder_data. The values here are JSON/serialized and require you to copy and manually unserialize/decode the data using an external tool before inspection.

• The Goal: Find links to pharma, gambling, or essay-mill sites hidden deep inside the configuration data of specific pages.

3. Inspect Widget Content (The wp_options Table, Again)

Widget content is typically stored in the wp_options table under keys that start with widget_.

• Access: Search the wp_options table for keys beginning with widget_text or widget_custom_html.

• Look For: Check the option_value for hidden links. Attackers often wrap hundreds of spam links in a div element with CSS styling set to display:none; or visibility:hidden; to hide them from human visitors while keeping them visible to search engine bots (a type of black-hat cloaking).

• The Goal: Identify spam links injected into global areas like the footer or sidebar that load on every page.

4. Decode Gutenberg Block Attributes (The wp_posts Table)

If your site uses the block editor, the payload might be hidden inside the structure of your content.

• Access: Search the wp_posts table’s post_content column.

• Look For: Search for long strings of text wrapped in the Gutenberg block comments (“).

  • Specifically, look inside the JSON attributes for blocks for highly encoded strings or custom scripts, especially in non-content fields like anchor or className.

• The Goal: Spot scripts or code fragments hidden in the block’s configuration, not the visible text.

5. Check for Obfuscated Cloaking in Post Content

Attackers also inject code directly into the main content field (wp_posts.post_content), relying on complex encoding to avoid detection.

• Access: Search the wp_posts table’s post_content column.

• Look For: Search for signs of conditional logic (like custom shortcodes or PHP fragments) or excessive use of HTML entities and zero-width characters that can hide characters and links. Also, look for large blocks of text that are commented out (“) but may still be rendered by some browser agents.

💡 The Automated Solution

As you can see, manually checking these five spots is incredibly complex, time-consuming, and risky due to the nature of serialized and encoded data. A single mistake can destroy a page’s layout or break the entire site configuration.

This is precisely why we built Content Guard Pro. Our specialized engine automates this entire process: it safely unserializes the data, decodes obfuscated payloads, identifies the malicious code, and allows you to quarantine the threat with a single click—all without the risk of manual database editing.