You may notice that a WordPress website is a victim of the eval base64 decode hack, for example, when a user tries to access your website in the search engine and is redirected to an attack site.
When a trusted website is redirected to an attack website it means that the website is hacked and the hacker has modified some Php scripts to create the automated redirect.
This article has summarized every piece of the topic so that you understand how to remove eval (base64_decode()) from a hacked WordPress site.
This guide will take into account and answer the following 6 key points:
- What is eval base64 decode?
- What does base64 decode eval do?
- How does it work php eval(base64_decode?
- How to get rid of Php:eval base64 decode virus?
- Tips to stay safe in the future
What is eval base64 decode hack?
This is code execution that is obfuscated by a base64 encoding scheme, the only reason this would be present is to hide malicious code. In general, if you find suspicious base64-encoded commands, you should decode the strings and see what they contain.
A base64 eval is a hacked code Php function that hackers use to gain control of your website. Adding eval code (base64_decode) in Php files helps hackers to illegitimately enter your website and try to use it for malicious purposes. Now this seems extremely dangerous. This code is not difficult to manually remove from all written Php files, but what would happen if all WordPress websites were infected with the malicious code again? We need to understand the root cause of malicious code injection.
There are several reasons that have been found behind WordPress website hacking using eval base64 decode, which are listed below:
- Running an outdated version of WordPress.
- Type of hosting you use (shared, dedicated, virtual).
- Exploitation of vulnerable administrator account.
- Compromise your ftp/ssh/web console/etc account with your provider. If you ever send your password over an unencrypted protocol (such as FTP), please stop doing so.
- loopholes in the written code.
- Install outdated themes that use old PHP scripts.
- Old and vulnerable versions of the themes.
- Some software, for example Apache HTTP server, that is not up to date
What does the “eval base64 decode” malicious code do?
If your PHP files are being injected by eval base64 decode line of code, users coming from different search engines like Chrome, Firefox, yahoo, bing, etc. They will be automatically redirected to a malicious website. This is what a “eval (base64_decode (” someDarkCharacterString “));".
In simple words, eval base64 decode is a base64 encoded Php function call that executes the decoded code. This helps the hacker to execute any Php function and inject malware into your website.
How Does It Work?
There must be some code on your website that allows the hacker's malicious script to run on your server. A hacker obfuscates the malicious script by hiding it under the PHP base64_encode() function. And this script calls the base64_decode() function to display all the Php files inside your website.
Finally, the Php eval() function is used to “execute” (or EVALUATE) the malicious code. Hackers place the malicious line at the top of as many Php files as they can. Some clever hackers also place this feature inside hidden folders, allowing the hacker to re-enter the website and make the desired changes to the code to create an automatic redirect.
Detecting malware on a WordPress website and fixing it is tedious and time-consuming. You should review all results to determine if malicious code is being executed.
You can use WordPress malware scanners to avoid this tedious process. For example, the page WPHackedHelp carefully scans all the files on your WordPress website for any malicious code.
How to perform base64 eval hack cleanup?
To perform base64 hack cleanup on a WordPress website, follow these steps as mentioned:
STEP 1: Make sure you are always up to date with new versions of WordPress. If you are running an older version, it is important to update your WordPress to its latest version.
STEP 2: Before updating your WordPress version, we recommend that you keep a backup of all php files. In case something goes wrong, at least you have a backup of all your website data and you won't lose anything.
STEP 3: Decode eval (base64_decode (“someDarkCharacterString”));
When trying to decode eval base64 decode, removing the injected code manually is not really that difficult. You can simply zip the entire website and then download it to your system.
Here you can use TextCrawler to search for “eval (base64_decode (” someDarkCharacterString “));” and replace it with the exact code. Now you can compress the files into a ZIP file again, and upload it to the website and extract it. This is one of the simplest ways to fix this Php infected code.
Here you can use any online Php decoder tool that decrypts the strings encoded with eval() and base64_decode(). There are many Base64 Decode Online tools available, such as:
- https://www.unphp.net/
- https://codebeautify.org/base64-decode
- http://ddecode.com/phpdecoder/
- https://www.motobit.com/util/base64-decoder-encoder.asp
- https://www.convertstring.com/EncodeDecode/Base64Decode
STEP 4: Ignoring a WordPress update can result in a mySql injection attack that executes the Php script:
<? php
eval (base64_decode (“someDarkCharacterString”));
?>
To prevent any mySql attacks, you can use “WordPress-MySql-Query” which displays all mySql tables as HTML. Using this application will allow you to review the data to ensure that you can migrate the mySql database without transferring the infection. Therefore, when you update the WordPress version, you will be prompted to update the database.
Tips to keep your page secure in the future
Here are some common tips to avoid hacking your WordPress website in the future:
- Keep your WordPress updated with new versions.
- Only run the WordPress plugins you really need and keep them updated too, as most vulnerabilities come from non-updated WordPress plugins.
- Before downloading and installing a plugin, don't forget to check its reviews and the number of active downloads it has; The more active installations you have, the more secure the plugin is.
- Additionally, enable WordPress notifications for updates to WordPress themes, plugins, and versions.
- Always keep your core WordPress files and WordPress plugins up to date. If you are prompted to install an update to your WordPress dashboard, it is best to do so immediately.
- Regularly keep backups of your WordPress database, including files, media, and other database folders.
- Install an SSL Certificate and always use SSL when you log in to your WordPress Dashboard.