WordPress Security

How to Clean & Fix WordPress eval (base64_decode) PHP Hack

Updated on: July 26, 2021

How to Clean & Fix WordPress eval (base64_decode) PHP Hack

Among the major CMSs used extensively by businesses worldwide, WordPress is notorious for being the most targeted by hackers, who constantly search for ways to circumvent security patches and precautions taken by users. A majority of websites run on WordPress, rendering it an excellent hackable target for malpractices and data theft. One such hack witnessed by WordPress users lately is the eval base64 decode hack which essentially redirects a user to an attack site while the user is trying to access their own website via a search engine.

Secure your WordPress website before hackers try to hack it!

Astra Website Protection has helped thousands of WordPress sites prevent cyberattacks.

What is the eval base64 decode hack in WordPress?

An eval base64 decode hack is essentially a PHP code execution attack which is clouded by a base64 encoding scheme in order to hide the malicious code. The eval base64 PHP function allows the hackers to illegitimately gain control over your website and misuse it for malicious purposes.

To achieve this, the hacker modifies some PHP scripts to automatically redirect a user to an attack website when he/she visits a trusted website.

WordPress hacked? Drop us a message on the chat widget and we’d be happy to help you. Fix my WordPress website now.

Listed below are some reasons why your WordPress site using eval base64 decode may be hacked:

  1. Running an outdated WordPress version.
  2. Vulnerable admin account
  3. Not renewing outdated themes which use old PHP scripts.
  4. Old and vulnerable versions of themes
  5. Depends on the type of hosting that’s used (shared, dedicated, virtual).
  6. The code contains multiple loopholes

Any of the above can contribute to PHP injection of the eval base64 decode code line: “eval(base64_decode(“someObscureCharacterString”))”. As a result, users coming from search engines like Chrome, Bing, Firefox are automatically redirected to a malicious site.

WordPress base64 decode Hack: How does the base64_decode string work?

The eval base64 decode PHP function call is encoded in base64 which uses the obfuscated malicious script to run the decoded code. Thus allowing the hacker to run any PHP function and inject malware on your website.

How to clean & fix WordPress eval(base64_decode) hack
The actual malware code found in the the index.php of hacked websites.
How to clean & fix WordPress eval (base64_decode) hack
base64_decoded version of the malware code

While most hackers place the malicious line on top of a majority of PHP files,  some of them also place this function inside hidden folders. This allows the hacker to make desired changes to the code time and again to create automated redirection.

How can I clean up the WordPress eval base64 hack?

To perform a base64 hack cleanup on a potentially infected WordPress website, it is essential to follow up with these steps:

  1. Ensure that you stay up-to-date with the latest WordPress releases. Immediately switch to a newer updated version, in case you are running an older one.
  2. Prior to updating your WordPress version, back up all your PHP files, just in case anything goes wrong.
  3. It is not hard to manually remove the injected code while trying to decode the eval base64 decode code. This is in fact one of the easiest ways to fix the infected code. Make use of a TextCrawler to search for “eval(base64_decode(“someObscureCharacterString”));” and replace it with the desired code. Post that, compress the files into a ZIP file, and upload it to the website and extract. 

    There are various online PHP Decoder tools available that decrypts strings encoded with eval() and base64_decode(). Listed below are the ones:
  4. A MySQL injection attack which executes the WordPress eval (base64_decode) PHP script can occur if you ignore a WordPress update. The script would look like this:
    <?php eval(base64_decode(“someObscureCharacterString”)); ?> 

To mitigate this mySQL attack,  you can use “WordPress-MySql-Query”  which essentially displays all MySQL tables as HTML. This will enable you to scour through data, migrate the MySQL database without transferring the risk. You’ll be prompted to upgrade the database when you’ll be updating the WordPress version.

Detecting and cleaning up a WordPress hack is very tedious. One has to literally browse through a myriad of results to pinpoint the malware’s location and eliminate it. However, Astra’s WordPress malware scanner scours websites for potential threats in just a couple of minutes and eliminates them before any potential damage can be caused.

Secure your WordPress website before hackers try to hack it!

Astra Website Protection has helped thousands of WordPress sites prevent cyberattacks.

WordPress base64 decode Hack: How to prevent such hacks in the future?

This malicious infection is a recurring attack faced by WordPress sites. Manually removing the infection time and again is a cumbersome process, not to forget very time-consuming. However, following some basic precautions can help you mitigate against such injection attacks and secure your WordPress system from their recurrence:

  1. Ensure the security of your host. Keep a track of their mitigation strategies or the time taken to patch their services when web vulnerabilities surface.
  2. If possible, pay more for dedicated or virtual-dedicated hosting. Less number of people using the server means lesser vectors at risk
  3. Ensure that your third-party applications/libraries are updated. Get on their notification lists to stay know immediately whenever an update rolls out.
  4. Audit your code to unearth any unprecedented vulnerabilities. If not yourself, pay someone else to do it.

After following the above-mentioned, your website still ends up getting infected with the same code again and again, the problem may persist at a deeper level. In that case, get in touch with us and our WordPress security experts will get back to you.

WordPress base64 decode Hack: Tips for securing WordPress websites

  1. Keep your WordPress version updated at all times. Do not delay an update at any cost.
  2. Only install WordPress plugins you absolutely require and get them from trusted sources. Ensure you keep the plugins too up to date as most vulnerabilities stem from outdated 3rd party plugins.
  3. Before downloading a plugin, perform a background check by looking into its reviews and active downloads. More the number of active installations, more secure the plugin.
  4. Enable notifications for updates to the WordPress versions, themes, and plugins. The sooner you update, the better.
  5. Regularly update your WordPress core files.
  6. Periodically backup your entire website content including files, media and database folders. Ensure backing up weekly and monthly.
  7. Install an SSL Certificate and always use SSL when logging into your WordPress Dashboard.
  8. Follow Astra’s blog on WordPress Security to stay up to date with the latest releases, updates, and information on discovered vulnerabilities.

Worried about securing your WordPress site from imminent online attacks? Contact Astra to assure rock-solid security for your site. 

Tags: ,

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany