How to Manually Scan WordPress for Malware Using base64_decode (Advanced Users)

Category: WordPress Security
Level: Intermediate to Advanced
Last Updated: August 1, 2025

???? Overview

WordPress malware infections often rely on obfuscated PHP code hidden in themes, plugins, or uploads. One of the most commonly abused PHP functions by hackers is:

"base64_decode"

This function decodes base64-encoded strings, which attackers use to hide executable code.

This article explains how you can use the grep command via cPanel Terminal or SSH to find suspicious instances of base64_decode in your WordPress installation.

 

Why base64_decode Is Dangerous

While base64_decode is a legitimate PHP function, it's frequently used in malicious scripts to hide backdoors, spam, redirects, or worse.

Example:

"<?php eval(base64_decode("ZWNobyAiSGFja2VkISI7")); ?>"
 

This seemingly harmless code actually executes a hidden command, and may be part of a larger malware infection.

????️ Prerequisites

  • Access to cPanel Terminal, SSH, or a File Manager with terminal emulation

  • Basic familiarity with Linux commands

  • The location of your WordPress install (typically public_html/)

???? Step-by-Step: Scan for base64_decode

✅ 1. Open Terminal in cPanel

  • Login to your cPanel

  • Go to Advanced → Terminal

⚠️ If Terminal is not enabled, ask your hosting provider to enable it, or use SSH access.

✅ 2. Run the Scan Command

Run this in your site’s directory:

grep -r "base64_decode" public_html/

grep = search tool

-r = recursive (scan all subfolders)

"base64_decode" = search pattern

Example output:

public_html/wp-content/plugins/suspicious-plugin/file.php:12: $code = base64_decode($data);
public_html/wp-content/uploads/hidden.php:1: <?php eval(base64_decode("aWYoJGY..."));

What to Do With Results

Match Location Action
uploads/*.php Almost always malicious – delete or quarantine
Unknown plugin or theme Investigate or disable
Core WordPress file (e.g., wp-config.php) Compare to official WP source or reinstall
Legitimate plugin (e.g., using base64 for assets) Usually safe – check context

Optional: Isolate Only Filenames

If you want to only list filenames (easier to read):

"grep -rEl "base64_decode" public_html/"
 

Bonus: Scan for Multiple Suspicious Functions

You can also search for multiple bad patterns at once:

grep -rEl "base64_decode|eval\(|gzinflate|str_rot13|shell_exec" public_html/
 
 
  • Web Security, WordPress Security
  • 0 Kunder som kunne bruge dette svar
Hjalp dette svar dig?

Relaterede artikler

How to fix Red screen when your site infected and having virus.

Step 1 – Finding The Cause Option 1 – Using Sucuri to Scan WordPress As removing malware or any...