How to Remove ‘Eval Base 64’ Virus Code From Your WordPress Site

I use WordPress a lot and any time mine or a client’s WordPress site gets hacked, it seems to be the same way, ie multiple blocks of code get injected into all the site’s files, particularly files in the ‘wp-content’ folder, so your theme and plugin files. The code always seems to start with “eval(base64_decode” followed by a long string of random looking characters. I won’t pretend to know how the code works, what it does or how it gets in in the first place but here’s how to get rid of it.

Removal:

First off I would do a manual upgrade of WordPress core as opposed to using the auto update function in WordPress admin which probably only updates certain files. A manual upgrade involves deleting all wordpress files and folders off the server via ftp EXCEPT the following ones:

  • wp-content
  • .htaccess
  • wp-config.php

And any other files you’ve customised or added, eg – Google Webmaster files, etc..

Then upload a fresh set of files from the latest WordPress version taking care not to upload any of the skipped files above or you’ll overwrite important settings and content.

Visit http://www.your-website.com/wp-admin and you’ll be prompted to upgrade the WordPress database so do that.

Next, download the above files and folders, wp-content, .htaccess & wp-config.php. You may need to turn off your anti-virus program as I did or it won’t let you download the files. It’s safe enough to do temporarily. Look in one or two of the downloaded php files for virus code similar to below:

Virus Code

Select & copy one instance of the virus code and use a program capable of doing Search and Replace in multiple files. I use Dreamweaver as below which lets me search for the same code in all files within a certain folder and replace it with blank space, which is the same as just deleting it. So I pick the root folder that contains all my website/wordpress files:

Dreamweaver

When Dreamweaver’s removed all the dodgy code from the site files, same them and re-upload.

Secure Your WordPress Site:

Now that you’ve cleaned out your viruses, make sure they don’t get back in by doing the following:

  • Change your Hosting, FTP, WordPress Admin & Database passwords.
  • Pick a long password (12 characters) and include upper & lower case, numbers and even symbols.
  • Add some security plugins to WordPress, WP Security Scan & SI Captcha Anti-Spam are 2 I use.

Stay safe.

Leon

Advertisements

Published by

Leon Quinn

Multimedia Design company in Leitrim, Ireland specializing in WordPress Website Design, Photoshop and Graphics. www.reverbstudios.ie

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s