More than 90% of WordPress malware has obfuscated PHP programs. This article describes the obfuscation process.


Obfuscated WordPress malware code

When WordPress is hacked and tampered with due to vulnerabilities, hackers install various malicious PHP programs on the server.
Most of this malicious code is obfuscated to reduce the readability of the code so that it is not immediately obvious what the program is doing.

Examples of obfuscated code

The reason hackers obfuscate malicious PHP code is to avoid analysis and detection.

How do they obfuscate PHP code?

There are various techniques for obfuscating PHP code, and software and libraries for this purpose are available for free, or you can obfuscate code online.

Examples of sites and scripts that can obfuscate PHP code
https://www.gaijin.at/en/tools/php-obfuscator
https://php-minify.com/php-obfuscator/
https://www.mobilefish.com/services/php_obfuscator/php_obfuscator.php
https://github.com/mnestorov/php-obfuscator

Hackers use sites like this to obfuscate malware code and embed it in their servers.

There are also services available to de-obfuscate the obfuscation.
http://php-decoder.site/
https://www.unphp.net/

Where is the obfuscated malware code?

Obfuscated malicious code is generally unmolded, very long, one-line programs that often contain many random strings of characters that are easily recognized by the naked eye.

However, because PHP code can be placed anywhere on a server, it can be located in deep hierarchies and can be difficult to detect because WordPress contains over thousands of files of programs.

It would be easier to detect malware by using a plugin that detects malware and comprehensively inspects all files.
Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

What if I still can’t get rid of it?

Malware detection plug-ins use pattern matching to detect malware, so they can find more malicious code much more easily than human work, but new malware is not yet included in the pattern detection database, or obfuscation process may change from site to site There is also advanced malware that is not yet included in the pattern detection database, or that has a different obfuscation process for each site.

Such malware may be difficult to detect and remove using plug-ins alone. If you have malware that cannot be fully removed, we recommend that you consult a specialist.