Fixing eval(base64_decode in WordPress
Today’s “to do” list was obliterated with the need to fight malware on 8 of my websites running WordPress. (all on a shared hosting account) A plugin introduced a “base64 code” onto every single .php file of the WordPress system which redirected referring links to a malicious site. (I wont even type in the link to ensure it doesn’t get anymore links from me.) Essentialy, my websites worked great, all content accounted for. However if someone attempted to visit my site from aol, yahoo, google, google+, facebook, myspace and more, then they would be sent to the other site.
This obviously is a HUGE problem and I have learned a lot from this experience.
My purpose in writing is to offer a solution to others with the problem. All it requires is Notepad++ & an ftp client.
- Download all files to your computer from where your WordPress System is installed. This can be either your root (“public_html”) or in a sub folder (“public_html/blog”).
- all other misc. files
- Open up “index.php” – immediately you should see a code like this:
The code that is creating all your problems is
That long string of code can be decoded using this website where you will find out what the code is actually doing.
- Next step is to remove that code from ever .php file in your site; which if you had to do that manually, would be disastrous. However thanks to Notepad++ and the “Find in Files” tool – this is actually quite a bit easier.
- Highlight the code to be removed “eval(base64_decode( ));”
- Click “Search > Find in Files” or Keyboard shortcut: Ctrl + Shift + F
- The Find What field should now be filled out with your highlighted code.
- Leave the Replace With field empty. (Because we are deleting the code to nothing)
- Leave the Filters drop down empty. (It will auto populate as *.* when you perform search)
- In the Directory box, navigate to where ever you downloaded your site too.
Your Find in Files prompt should look similar to this:
- Now press Replace in Files. You will have a pop up that says “Press enter to cancel” DO NOT CLOSE OR PRESS OK on this prompt.
- When the program completes the replacement you will get a new pop up that says something along the lines of, “Replaced 1287 occurences.”
At this point your site is officially cleaned of spam base64 code. Upload the new site files and voila! Good as new.
Be sure to only use trusted plug-ins; block spam comments & users and above all backup your site often.