17 Feb 2024
Base64 encoding is a technique used to convert code, such as PHP, into a line of numbers, letters, and characters. It was initially used in the mid-2000s to make a piece of copyright code unrecognizable or to prevent easy modifications. However, nowadays, Base64 is often used to obfuscate malicious code and hide it within websites. The encoded code remains unreadable until it is executed, becoming active once executed.
Free online Base64 encoders are available that can help execute or reveal the encoded code. As an example, I have taken the following code and run it through the encoder:
“`html
OntwerpExpert
“`
The encoded version looks like this:
“`
PGEgaHJlZj0iaHR0cDp3d3cub250d2VycGV4cGVydC5uZXQiPk9udHdlcnBFeHBlcnQ8L2E+
“`
As you can see, the encoded version is not easily recognizable, but it can be decoded back into its original form.
If your website contains Base64-encoded code, you may not notice it immediately. Such scripts are often written to operate stealthily, avoiding detection to remain active for as long as possible. The code can find its way into your website through vulnerabilities, not only as complete files but also as small lines in your index.php, header.php, and other files.
It is crucial to find and remove all instances of such code. A single line of code could serve as a backdoor and reintroduce the codes even after you have removed them.
**Prevention is better than cure.** To prevent scripts from adding code to your website, ensure that files are not writable where they shouldn’t be. Keep your plugins up to date as outdated plugins are often exploited by hackers to gain access to websites.
If you find Base64-encoded code in your website’s theme, plugins, or uploads directory, it is highly likely that your website has a vulnerability. In such cases, it’s essential to seek professional help to remove the malicious code and secure your website. You can contact WPbeveiligen to assist you in this process.
