How To Fix ?eval(base64_decode()) Php Hack in WordPress [Guide]

Eval Php Exploit

Within a period of one month, we received multiple requests of cleanups from our clients and we were pretty happy to be the best in WordPress cleanups. While communicating with one of the clients on various reasons for website hacking, we came to know that his WordPress website is victim of eval base64 decode hack i.e. when a user is trying to access their website on search engine, he is redirected to an attack site.

When a trusted website is being redirected to an attack website [Also See – WordPress hacked redirect], it means the website is hacked and the hacker has modified some Php scripts to create the automated redirection.

So here I decided the next topic I will be writing on. Though I needed to do huge research on the whole concept, finally I have sum up every single piece to make you understand how to remove eval(base64_decode()) from a hacked WordPress site .

Beginning with the six step guide on Cleaning php eval(base64_decode()) hack from a WordPress site, let us tell you the key-points of the article:

?What is eval base64 decode?

?What does eval base64 decode code do?

?How does php eval(base64_decode works?

?How to get rid of eval-base64_decode like PHP virus? [Various tools to decode base64 string]

?Tips for preventing eval php exploit in wordpress

What is eval base64 decode hack?

Eval PHP Exploit is a code execution that is obfuscated by a base64 encoding scheme, the only reason this would be present is to hide malicious code. Generally if you find any suspicious base64 encoded commands you should decode strings and see what they contain.

An eval base64 is a php function of hacked code which is used by hackers to gain control over your website. Adding  eval(base64_decode) code in PHP files helps the hackers to illegitimately enter your website and try to use to use your site for malicious purposes. Now this seems extremely dangerous. This code is not hard to remove manually from all of PHP written files but what if the all of the WordPress websites got infected by the malicious code again! We need to understand the main cause of the malicious code injection.

After investigating, we found the reasons behind the hacking of wordpress websites using eval base64 decode, listed below:

1. Running an outdated version of WordPress.
2. Type of hosting you use (shared, dedicated, virtual).
3. Vulnerable admin account exploit. [WordPress Exploit Unauth-Password-Reset]
4. Compromise of your ftp/ssh/web console/etc account with your provider. If you ever send your password via an unencrypted protocol (like FTP), stop doing that.
5. Loopholes in the code written.
6. Installing outdated themes which use old php scripts.
7. Old and vulnerable versions of themes. [Use our vulnerability Scanner to Find common WordPress Security Vulnerabilities]
8. Are all software, for example – Is Apache HTTP Server updated?

What does the malicious “eval base64 decode” code do?

If your PHP files are being injected by eval base64 decode code line, the users coming from different search engines like Chrome, Firefox, yahoo, bing etc will be automatically redirected to a malicious website. This is what an “eval(base64_decode(“someObscureCharacterString”));” can do.

In simple words, the eval base64 decode is a php function call encoded in base64 which runs the decoded code. This helps the hacker to run any Php function and inject malware on your website.

How does it works?

There must be some code on your website which permits the malicious script of hacker to get executed on your server. A hacker obfuscates malicious script by hiding it under the PHP base64_encode() function. Well, this script calls the base64_decode() function to unhide all of php files within your website.

Finally, the PHP eval()function is used to ‘run’ (or EVALuate) the malicious code. As seen, hackers place the malicious line at the top of as many PHP files as they can. Some intelligent hackers also place this function inside hidden folders which lets the hacker re-enter the website and make desired changes to the code in order to create automated redirection.

Detecting malware in a wordpress website and fixing it is tedious and time consuming . You have to go through every results to determine if there is malicious code being executed.

But thanks to our wordpress malware scanner, now you can skip through the tedious process. Once you submit your website in our online WordPress Base64 Hack Cleanup tool, it carefully analyzes all the files on your WordPress website for any malicious code . If you also need professional help to get rid of “eval(base64_decode)”, feel free to contact us here.

New Updated – 60+ WordPress Vulnerability Scanners & Security Tools 2024 – An Ultimate List

How to perform WordPress eval base64 hack cleanup?

In order to perform base64 hack cleanup on a WordPress website, follow these steps as mentioned:

STEP 1 – Make sure you always stay up-to-date with the new releases of WordPress versions.  If you are running an older version, it is important to update your WordPress to its latest version.

STEP 2 – Before you update your WordPress version, we strongly recommend you to keep a backup of all php files (can use this PHP Backup Utility). In case, anything goes wrong, at least you have backup of the entire website data and will not lose anything. Thus, move all your files to a backup folder and then create a backup tarball.

STEP 3 – Decoding eval(base64_decode(“someObscureCharacterString”));

While trying to decode the eval base64 decode code, removing the injected code manually is not really that hard.  You can simply compress the whole website, and then download it to your system.

Here you can use TextCrawler to search “eval(base64_decode(“someObscureCharacterString”));” and replaced it with the exact code. Now you can compress the files to a ZIP file again, and upload it to the website and extract. This is one of the simplest way to fix this PHP infected code.

Here you can use any online PHP Decoder tool that decrypts strings encoded with eval() and base64_decode(). There are many other Base64 Decode Online tools available such as :

• https://codebeautify.org/base64-decode
• http://ddecode.com/phpdecoder/
• https://www.motobit.com/util/base64-decoder-encoder.asp
• https://cryptii.com/base64-to-hex
• https://www.convertstring.com/EncodeDecode/Base64Decode
• https://www.freeformatter.com/base64-encoder.html
• https://www.url-encode-decode.com/base64-encode-decode/

STEP 4 – Ignoring a WordPress update may result in a mySql injection attack that executes the PHP script:

<?php

eval(base64_decode(“someObscureCharacterString”));

?>

In order to avoid any mySql attack, you can use “WordPress-MySql-Query”  which display all the mySql tables as HTML. Using this app will allow you comb through the data, to insuring that you can migrate the mySql database without transferring the infection. Thus when you will update WordPress Version, you will be prompted to upgrade the database.

How to prevent this hack from reoccurring?

Manual removal seemed to be a tedious and time consuming process. And, one important thing which I observed after  few days was that the website got infected with malware again and redirected automatically to abchfws.com. Now what?

Here are the steps that will prevent your website from reoccurring of eval base64 decode function call:

1. Make sure you absolutely trust the security of your host. Ask them how soon they patch their services in case web vulnerabilities come out.
2. Try to pay more for dedicated or virtual-dedicated hosting. Less people using the server means less vectors to attack.
3. Keep your own third party applications/libraries up to date. Get on their mailing list, RSS feeds, or anything to stay up to date with their releases.
4. Audit your own code. If you aren’t experienced enough, you can find someone and then pay for it.
5. Keep your site in version control like git or subversion. Keep your production directory as a working copy so you can easily detect changes from your code base (but make sure to block access to metadata like .git and .svn dirs).

If still after cleaning up your website, your website is getting infected with the same code again and again, then it might be possible that that the attacker dropped some files deep inside some folders that gives them access to your website. In this case you can contact us and our wordpress security experts will get in touch with you.

Tips for Staying Safe In The Future

Here are a few common tips to avoid the hacking of your WordPress website in the future:

• Keep your WordPress updated with new version releases.
• Only run WordPress plugins that you absolutely need and keep them updated as well, as most vulnerabilities come from outdated WordPress plugins. [See – Best WordPress Security Plugins in 2024 [Updated List]]
• Before downloading and installing a plugin, don’t forget to look into its reviews and number of active downloads it has; the more active installations it has, the more secure plugin is.
• Also, enable the notifications for updates to the wordpress themes, plugins and well as wordpress versions.The earlier, the better.
• Always keep your WordPress core files and your WordPress plugins updated. If you’re prompted to install an update on your WordPress dashboard, it’s best to do it immediately.
• Keep regular WordPress database backup including files, media and other database folders. Make sure you keep a weekly and a monthly backup.
• Install an SSL Certificate and always use SSL when logging into your WordPress Dashboard.
• Read WordPress Security Tips To Secure Your Website so you can better protect your website for future vulnerabilities.There are many other safe practices you can enable on your WordPress site for best practices – this list here is a very comprehensive list of how to prevent hacking and how to remove malware from WordPress website.

Other Interesting Articles You Must Read:

• How To Fix 503 Service Unavailable Error in WordPress site
• How to Fix WordPress Stuck in Maintenance Mode?
• WordPress Security Checklist Guide 2024
• Fix “This Account Has Been Suspended” WordPress