Base64_decode in WP installation files

base64_decode() does have legitimate uses and it does legitimately appear in core WP code and several plugins. You can confirm legitimate code by downloading a fresh copy from www.remarpro.com (only!) and comparing files. To be extra sure, be sure a hash of the downloaded file matches the published hash for the file.

Any base64_decode() calls in core files that do not match downloaded versions should be assumed malicious and the security of your entire site becomes questionable. There’s no sure way to determine maliciousness, though large amounts of data to decode should be suspect. Any attempts at obfuscating the function, such as reversing the character order (edoced_46esab) are also highly suspect.

Many thanks for your help.

too bad….. pharma hackers use this to continue their assaults.

just makes me wonder why continue to use this susceptible code?

just makes me wonder why continue to use this susceptible code?

base64_decode() by itself is not “suceptible”. It’s a valid solution to a very common problem faced by a lot of devlopers. It’s how it’s used in a block of code that can lead to issues if the code is written as a hack. The legitimate uses of it in core and plugins are not a problem because the code around it doesn’t do anything bad. It’s just a tool, it’s how the tool is used that’s the problem, not the tool itself. ??

just makes it too easy to hack. that and way too many files and scripts.

Sorry Rene, but you are wrong. Using base64_decode() by itself does not give someone the ability to hack a site. It’s how it’s used in the code that’s the problem. The only reason that it’s so popular with hackers is becuase they can obfuscate their hack code so people don’t recognise it as easily. There’s a lot more “tricks” that hackers use as well, and all of them have legitimate uses, but are being used in nefarious ways.

Think about it like this… You have a hammer. A hammer can be used to build something great, but it can also be used to hurt someone. It all depends on how it’s used. Does this make using a hammer bad? Does it mean that no one should ever use a hammer again? it’s the same situation with using this in your code. Used the right way, it’s safe. Used the wrong way, it’s bad. It’s all about how it’s used – not the function itself.

don’t agree. but then you probably haven’t been fighting an ongoing pharma hack for 10 months like I have. a futile fight by the way.
and don’t give me all those links to out-dated articles on how to eliminate it.
WordPress has built in vulnerabilities, and no way to automatically guard against them without enormous effort.

I’ve ben fighting hacks here for over 2 years, so I do know, and I do understand what it’s like. Every hack that I’ve found was not becuase of base64_decode(), the ones that had it only used it in the code that was injected by the hack. That’s a very big difference.

To be honest, if you’re fighting something for that long, and it’s the same attack over and over, there’s something else that you’re not looking at. With all of the attacks that I’ve seen, the attack vector was an insecure theme. So far I haven’t found any on all of the sites that I manage that have come thorugh any vunerability in WordPress itself. I’d suggest that you take a very close look at your theme and your plugins because those are by far the most common problems. From my own experiences after I patched the issues in the hacked sites themes, the hacks didn’t re-occur, and no more occured after the fixes that I put in place – and keep in mind that these were all theme-based, not in WordPress itself. That’s what makes me say this with a fair bit of authority.

If you can find any vunerabilities in WordPress core, then please contact the WordPress security team so that they can find and patch these issues.