Support » Plugins » Hacks » Base64_decode in WP installation files

  • I need help to clarify something about base64_decode code please.

    After reading alot about it on the forum I’m still not clear if base64_decode code is safe or a hack.

    I have an account on a shared hosting site and installed WordPress an automated install provided by the site. I used the Exploit Scanner plugin and it showed there were several files with this code
    in my installation. I thought it might be caused by some of the plugin’s I used so I uninstalled it and reinstalled WordPress again without any other themes or plugin’s. I only installed Exploit Scanner again to search for it and it found it again in several files.

    I removed this installation of WordPress and today installed a new WordPress (using the automated install) in and did not install any plugins (not even Exploit Scanner) and zipped the files in that directory and downloaded it and did a keyword search using Windows Grep to check for it and it found base64_decode in 7 files in the WordPress directory –

    Here are the files and the location of the code –


    [ Malware redacted, please do not post that here again. ]

    It seems this code is showing up in the basic installation files of WordPress without any plugins or themes being added.

    My questions are –

    1. Is it possible for WordPress to please confirm they are including this code in their installations or provide a way to check which ones are ok or safe and with ones are not.

    2. Is there any way I can check if these specific codes are safe.


Viewing 8 replies - 1 through 8 (of 8 total)
  • Moderator bcworkz


    base64_decode() does have legitimate uses and it does legitimately appear in core WP code and several plugins. You can confirm legitimate code by downloading a fresh copy from (only!) and comparing files. To be extra sure, be sure a hash of the downloaded file matches the published hash for the file.

    Any base64_decode() calls in core files that do not match downloaded versions should be assumed malicious and the security of your entire site becomes questionable. There’s no sure way to determine maliciousness, though large amounts of data to decode should be suspect. Any attempts at obfuscating the function, such as reversing the character order (edoced_46esab) are also highly suspect.

    Many thanks for your help.

    too bad….. pharma hackers use this to continue their assaults.

    just makes me wonder why continue to use this susceptible code?

    just makes me wonder why continue to use this susceptible code?

    base64_decode() by itself is not “suceptible”. It’s a valid solution to a very common problem faced by a lot of devlopers. It’s how it’s used in a block of code that can lead to issues if the code is written as a hack. The legitimate uses of it in core and plugins are not a problem because the code around it doesn’t do anything bad. It’s just a tool, it’s how the tool is used that’s the problem, not the tool itself. 🙂

    just makes it too easy to hack. that and way too many files and scripts.

    Sorry Rene, but you are wrong. Using base64_decode() by itself does not give someone the ability to hack a site. It’s how it’s used in the code that’s the problem. The only reason that it’s so popular with hackers is becuase they can obfuscate their hack code so people don’t recognise it as easily. There’s a lot more “tricks” that hackers use as well, and all of them have legitimate uses, but are being used in nefarious ways.

    Think about it like this… You have a hammer. A hammer can be used to build something great, but it can also be used to hurt someone. It all depends on how it’s used. Does this make using a hammer bad? Does it mean that no one should ever use a hammer again? it’s the same situation with using this in your code. Used the right way, it’s safe. Used the wrong way, it’s bad. It’s all about how it’s used – not the function itself.

    don’t agree. but then you probably haven’t been fighting an ongoing pharma hack for 10 months like I have. a futile fight by the way.
    and don’t give me all those links to out-dated articles on how to eliminate it.
    WordPress has built in vulnerabilities, and no way to automatically guard against them without enormous effort.

    I’ve ben fighting hacks here for over 2 years, so I do know, and I do understand what it’s like. Every hack that I’ve found was not becuase of base64_decode(), the ones that had it only used it in the code that was injected by the hack. That’s a very big difference.

    To be honest, if you’re fighting something for that long, and it’s the same attack over and over, there’s something else that you’re not looking at. With all of the attacks that I’ve seen, the attack vector was an insecure theme. So far I haven’t found any on all of the sites that I manage that have come thorugh any vunerability in WordPress itself. I’d suggest that you take a very close look at your theme and your plugins because those are by far the most common problems. From my own experiences after I patched the issues in the hacked sites themes, the hacks didn’t re-occur, and no more occured after the fixes that I put in place – and keep in mind that these were all theme-based, not in WordPress itself. That’s what makes me say this with a fair bit of authority.

    If you can find any vunerabilities in WordPress core, then please contact the WordPress security team so that they can find and patch these issues.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Base64_decode in WP installation files’ is closed to new replies.