WordPress.org

Ready to get started?Download WordPress

Forums

Wordfence Security
[resolved] 'base64_decode warning in a number of files? (3 posts)

  1. yamahaforums
    Member
    Posted 2 months ago #

    I took over a site recently which had been hacked a number of times in the past. No security plugins had ever been installed and the hack is still present, mostly within the theme files but also I think in one of the Contact form plugins.

    The warning I am seeing is as follows:

    This file is a PHP executable file and contains the word 'eval' (without quotes) and the word 'base64_decode(' (without quotes).

    I just want to confirm before I delete anything if there is ever a legitimate reason for this code to be present in any files in a WordPress install? I'm pretty sure the files flagged are the hacked ones but never hurts to double check.

    Thanks

    https://wordpress.org/plugins/wordfence/

  2. rngdmstr
    Member
    Posted 2 months ago #

    No core WordPress files will include eval or base64.

    Some legitimate files in plugins or themes will use eval/base64, but most often it is a sign of malware. Base 64 is a way of obfuscating / encrypting a file - some code authors that are concerned about people 'copying' their code will do this to their files, but not very often.

    If you are not sure, the best thing to do is download fresh copies of the plugins / themes in question and compare the code with what you find in your site files.

    You can use this tool to compare files: http://www.diffnow.com/

    It is very common to have eval base64_decode code injected into the top or bottom of files, so if you see any code containing this that looks like an ugly tumor in your file then you've probably found the culprit.

  3. Wordfence
    Member
    Plugin Author

    Posted 2 months ago #

    Examine each file individually before deleting.

    But note that Wordfence includes a feature that prevents false positives on known files. So if we find base64/eval we do a second check to see if the file is a known file in the repository (any version of any core, theme or plugin file in the repo) and if it's known we won't flag it.

    So it's very likely these are malicious files.

    Regards,

    Mark.

Reply

You must log in to post.

About this Plugin

About this Topic