WordPress Base64 hacks have been around for awhile. Basically, an exploit in wordpress or one of your plugins allows a user to insert malicious code into your wordpress core files or your wordpress theme. If your users are complaining of malware on your wordpress site, it’s a good bet you’ll find some base64 encoded code in your files. The problem is, it’s hard to look through all your files, and what if, after you’ve fixed everything — there is another attack.
Base64 is used to hide code in your files by encoding it in a way that makes in meaningless to the human eye. Say you know your site is infected because you go to it and see that it’s redirecting you to xyzspamsite.com — being savy with computers, you download all your files from your host and do a search through them all for xyzspamsite.com to find the problem. You come up with nothing. Why? Because the URL has been encoded in base64 and the exploited code is DECODING it using a php function called base64_decode.
Encoded xyzspamsite.com looks like this: eHl6c3BhbXNpdGUuY29t
So, you have been defeated, unless you go to a website and use a base64 encoding script to get the URL encoded and then go search your files. Still, this is a long process. So, I have made it simple. I’ve created a small and simple to use plugin for wordpress that will scan your wordpress files and find potential threats. It will then report which files and what the code looks like. In very specific cases (which I mention later) it will render the hacked code inert, so that no more users will be infected and it will give you enough time to clean the files manually.
There are only a few situations where the plugin will clean your code. They are if you have been using a new exploit that is yet unfixed — and the scanner finds one of the following lines in your code:
Both of these lines are base64 encrypted links, that when the code executes, generate malware on your website. The cleaner will remove that code, causing the malware to never be dumped onto your site. You still need to manually remove the rest of the inserted code (though you can do it at your own pace since the malware SHOULD now be inert).
To install the plugin, You MUST backup your files before running this plugin! Download the zip file, unzip it on your local machine, upload the directory to your the wp-content/plugins folder, go to your wordpress admin dashboard, click plugins, activate Injection Scanner, go to settings and click on injection scanner, hit scan.
I, nor Storm Code offer any warranty or guarantee of this product. You use it at your own risk. It is still very much beta. You MUST backup your files before running this plugin! I nor Storm Code is responsible for any potential issues you face. It is released in it’s current state under the GUN Public License.