More than 90% of WordPress malware has obfuscated PHP programs. This article describes the obfuscation process.


Obfuscated WordPress malware code

When WordPress is hacked and tampered with due to vulnerabilities, hackers install various malicious PHP programs on the server.
Most of this malicious code is obfuscated to reduce the readability of the code so that it is not immediately obvious what the program is doing.

Examples of obfuscated code

The reason hackers obfuscate malicious PHP code is to avoid analysis and detection.

How do they obfuscate PHP code?

There are various techniques for obfuscating PHP code, and software and libraries for this purpose are available for free, or you can obfuscate code online.

Examples of sites and scripts that can obfuscate PHP code
https://www.gaijin.at/en/tools/php-obfuscator
https://php-minify.com/php-obfuscator/
https://www.mobilefish.com/services/php_obfuscator/php_obfuscator.php
https://github.com/mnestorov/php-obfuscator

Hackers use sites like this to obfuscate malware code and embed it in their servers.

There are also services available to de-obfuscate the obfuscation.
http://php-decoder.site/
https://www.unphp.net/

Where is the obfuscated malware code?

Obfuscated malicious code is generally unmolded, very long, one-line programs that often contain many random strings of characters that are easily recognized by the naked eye.

However, because PHP code can be placed anywhere on a server, it can be located in deep hierarchies and can be difficult to detect because WordPress contains over thousands of files of programs.

It would be easier to detect malware by using a plugin that detects malware and comprehensively inspects all files.
Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

What if I still can’t get rid of it?

Malware detection plug-ins use pattern matching to detect malware, so they can find more malicious code much more easily than human work, but new malware is not yet included in the pattern detection database, or obfuscation process may change from site to site There is also advanced malware that is not yet included in the pattern detection database, or that has a different obfuscation process for each site.

Such malware may be difficult to detect and remove using plug-ins alone. If you have malware that cannot be fully removed, we recommend that you consult a specialist.

Related Posts:

  1. What is a web shell, a type of WordPress malware?
    There have been an increasing number of cases of web shells, a type of WordPress malware, becoming more sophisticated in recent years. We will explain about web shells....
  2. WordPress: How the Malware Scan & Security plugin can detect malware with high accuracy.
    The following is a partial introduction to the highly accurate malware detection mechanism in the [Free] WordPress: Malware Scanning & Security Plug-in [Malware and Virus Detection and Removal] released by WordPress Doctor....
  3. Characteristics of malware code when WordPress is tampered with
    We will explain what kind of malware (programs that perform malicious behavior) can be embedded in a site when WordPress is defaced by hackers....
  4. Characteristics and decoding methods of malware code infecting WordPress
    We will explain the characteristics of malware code embedded by WordPress tampering and how to make the code readable and analyze its contents....
  5. 5 characteristics of malware files that infect WordPress
    Here are some characteristics of malware files that can infect WordPress. If such a file is found on the server, it is most likely malware....
  6. eval function used in over 50% of WordPress malware (tampering and viruses)
    We will explain the process called eval, which is used in more than half of the malware files detected by WordPress Doctor, and how to stop eval....