Title: 2012 php eval(base64_decode hack issues
Last modified: August 20, 2016

---

# 2012 php eval(base64_decode hack issues

 *  [kerchmcc](https://wordpress.org/support/users/kerchmcc/)
 * (@kerchmcc)
 * [14 years, 5 months ago](https://wordpress.org/support/topic/2012-1/)
 * I maintain about 30 websites mostly with at least one wordpress installation 
   in each. (I am embarrassed to confess.. Some have been better kept up to date
   than others… However, I’m FIXING THAT!)
 * I did not have gibberish in either my wp-config.php files or in footer.php that
   some other people reported with the base64 problem.
 * However, this code showed up this week at the very top of the index.php files
   `
   <?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw...followed by blah blah 
   blah with lots and lots of letters and numbers!!`
 * I deleted that stuff… and it scans clean with sucuri.net
    but in a little bit..
   less than an hour.. it all comes back.
 * I generally keep my wp installations in a different folder than the root directory.
   It seems to look like whatever is causing the trouble is also adding a second
   index.php where it THINKS that file should be.
    Both have generally had the bad
   code.
 * It seems to be limited by user. So if my infected user has access to 20 sites,
   then 20 sites get infected.
 * If a different user has only one site.. then that site might not be infected.
 * Here’s what I’m trying.
       1. I made a new user in my host account
    -  1. Change the authentication strings in wp-config.php
           (generating new ones 
          here: [https://api.wordpress.org/secret-key/1.1/salt/](https://api.wordpress.org/secret-key/1.1/salt/)
    -  1. delete the eval(base64 etc code
    -  1. Then immediately change the user to a new clean one.
 * So far.. so good.

Viewing 1 replies (of 1 total)

 *  [Christine Rondeau](https://wordpress.org/support/users/crondeau/)
 * (@crondeau)
 * [14 years, 5 months ago](https://wordpress.org/support/topic/2012-1/#post-2483615)
 * you may also want to go through this info – [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress)
 * and this one –
    [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)

Viewing 1 replies (of 1 total)

The topic ‘2012 php eval(base64_decode hack issues’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 1 reply
 * 2 participants
 * Last reply from: [Christine Rondeau](https://wordpress.org/support/users/crondeau/)
 * Last activity: [14 years, 5 months ago](https://wordpress.org/support/topic/2012-1/#post-2483615)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics