Hello, ever noticed some weird keywords in your Google Webmaster Tools? This is how i actually draw attention to a problem on one site, i was cleaning from BASE64_DECODE problem in recent days.
If you open your website and view source (ctrl+u) scroll to footer and you may notice all the junk stuff in there with padding -5000px (this is done for this viagra and cialis links not to appear on the visible part of main page – they are hidden, but they exist).
So how do we fight it? My experience says, that you should start with a database. Because if you don’t clean your database, it is useless to clean injected code in your php files, since it will appear over and over again.
1. Database cleanup
Open your wp-config.php and find username (MySQL database username) and password (MySQL database password), as well as url for your PHPMyAdmin (MySQL hostname). Login, click your database and go to SQL tab. Enter this:
SELECT * FROM wp_options WHERE (option_id LIKE ‘%base64_decode%’ OR blog_id LIKE ‘%base64_decode%’ OR option_name LIKE ‘%base64_decode%’ OR option_value LIKE ‘%base64_decode%’ OR autoload LIKE ‘%base64_decode%’ OR option_id LIKE ‘%edoced_46esab%’ OR blog_id LIKE ‘%edoced_46esab%’ OR option_name LIKE ‘%edoced_46esab%’ OR option_value LIKE ‘%edoced_46esab%’ OR autoload LIKE ‘%edoced_46esab%’ OR option_name LIKE ‘wp_check_hash’ OR option_name LIKE ‘class_generic_support’ OR option_name LIKE ‘widget_generic_support’ OR option_name LIKE ‘ftp_credentials’ OR option_name LIKE ‘fwp’ OR option_name LIKE ‘rss_%’) order by option_id
Your wp_options table may have a different name, if so change to your name.
It will show up all entries in wp_options, which are not relevant to this table and should be deleted.
2. Plugins and themes
Plugins and themes are also vulnerable if they are outdated or even worse – not supported anymore. Update all your plugins (and delete unnecessary), all your themes and DO delete the ones you are not using. It is a must! When i was fighting the virus i spend lots of time cleaning database and garbage from php files, but the problem was in func.php file in default wordpress theme, which was outdated and had a hole obviously. Quite stupid wasting so much time, when solution is so simple, isn’t it?
3. Cleaning .php files
Only after part 1 and 2 are done you may start to clean the code. Otherwise you will loose time, patience and may be even your blog. I suggest to download your site completely to your HDD. If you have windows, turn on indexing inside .php files. After you are done, search in your directory, you have downloaded, for base64_decode and all the garbage, which comes with it and clean your .php files from it.
4. Move to another hosting
It may look painful, but if you are really frustrated with the pharma hack, you should consider moving to a new host.