php logo

I adore WordPress themes! And I like to download and test the themes (free ones) frequently. Few days back I bumped across a plugin – TAC (Theme Authenticity Checker) which checks for any malicious code in the WordPress themes present in /wp-content/themes folder.

When I ran TAC today, I found that couple of the themes I downloaded yesterday (name withheld) were having some encoded string in the Footer section. TAC projected them as potential threats since some malicious code could have been injected and encoded. The code looked something like this


echo(base64_decode(“PGRpdiBjbGFzcz0iZm9vdGVy
Ij4NCiAgPGRpdiBjbGFzcz0iZm9vdGVyX3R4dCI+IA0KICAgIDxw
PiBEZXNpZ25lZCBieTogPGEgaHJlZj0iaHR0cDovL3d3dy
50YWxrcmV2aWV3cy5jb20vdG9wLXNp
dGVzIj5Ub3AgV2Vic2l0ZSBSZXZpZXdzPC9hPiA8L3A+
DQoNCiAgICA8cD4NCiAgICAgIDxhIGhy
g0KDQo=”))

I started looking out for a tool which can decode this encoded string for me. And I found out this page which can encode as well decode! There is a radio button at the bottom where you need to select the decode option. The output decoded data will be displayed in the same screen within few seconds!

Just replace the encoded code with the decoded one and the theme will continue to work like a charm!

Link: Base-64-encoder-decoder

Mirror: Base-64 decoder

Also try this : OpionatedGeek decoder tool


Also Read:
 
Founder-Editor

Raju is the founder-editor of Technology Personalized. A proud geek and an Internet freak, who is also a social networking enthusiast. You can follow him on Facebook and on Twitter. Mail Raju PP. Follow rajupp

 
 

49 thoughts on “[How to] Decode an Encoded PHP Script in WordPress Themes

  1. If code is obfuscated, I won’t even care to test the theme unless it’s released by a trusted source. And yeah I do know about base64 encodings, it is there in java as well!

  2. Hello
    I tried the script on the page.
    It doesn’t work with the code of my footer.

    I get a result yet coded such : eval(base64_decode(“JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs=”));$ll=0; …..

    πŸ™

  3. Thank you for your help. But this time it says “Sorry, it just was not possible to decode that string.”

    Here is the code in a txt file
    footer

    it would be nice if you could throw a glance πŸ™‚

    • As expected it has multi level encoding. First of all I want to clarify that I am no expert in PHP!In the txt file you have shared, the code has 2 parts. first part is a variable definition ($o) and the other part which has eval method. I was able to decode the eval method using the link I provided above. It returned me a series of code having for loops and more encoded data. So, it’s a recursively encoded code by some smart fellow. If I was you, I wouldn’t be daring to use that theme with such a footer πŸ™‚

  4. Thank you for having looked at the code. The footer coded it becomes a very bad way. Especially we don’t know if it hides a malicious script.

  5. On gzipped content like: eval(gzinflate(base64_decode('glztGlnskJVlg0'))); – I have succesfully used this on-line decrypter:
    http://www.tareeinternet.com/scripts/decrypt.php

    Thanks for this article πŸ˜‰

    MY solution (no decoding):
    —————————-
    1/ Install the theme on localhosted apache + php + wp
    2/ Point browser there (http://localhost/wordpress/)
    3/ View page source
    4/ copy footer code from viewed source
    5/ erase footer.php, create new file with same name
    6/ paste footer code from clipboard into this newly created file footer.php
    7/ save footer.php code and test the theme
    8/ you may need to debug it little bit (someone is putting tricks like

    ?>

    footer html code

    <?

    to protect theme from this kind of manipulation and such techniques).

    → This solution is absolutely legal, ’cause you are not modifiing footer.php, you aren’t reverse engineering, but you’re building your own footer.php file πŸ˜‰

    • @mijk,
      Thanks for your comments. But how many people do you think will be capable enough to install WP locally? That is why I suggested decoding approach. You are absolutely right in terming it “legal”, Even I have mentioned the same above.

  6. @Raju:
    I think there is lot of all-in-one apache+mysql+php solutions (EasyPHP @ http://www.easyphp.org/, WAMP @ http://www.wampserver.com/en/ etc.) which are easy to install (standard installshield installation) and setup (fully featured clickable control panel with links to phpmyadmin, for setting up modules like gd etc., selecting php (4/5) or mysql version (for debugging purpose) – so for clarity I think that almost anyone could be capable to install WP locally πŸ˜‰

    I was just sharing another approach to this issue (mainly ’cause of legality of this kind of approach).

    Thank you very much for quick response and thanks once again for cool article.

    • @mijk,
      You are absolutely right. I personally use WAMP and XAMPP, but what I meant was non-geeks will not dare to try most of the times. But yeah, its very easy πŸ™‚ I must thank you for sharing so much info with your 2 comments.

  7. @ mijk

    I am sorry, where is the true to debug in php ?

    or

    ?>
    ……………..
    <?

    I will try both of them, because I found

    in my wp theme.
    I will learn php on next semester on my campus, once again thanks to Raju and mijk.

  8. I am sorry, where is the true to debug in php ?

    “”
    (without quote)
    or

    ?>
    ……………..
    <?

    I will try both of them, because I found
    “” (without quote)
    in my wp theme.
    I will learn php on next semester on my campus, once again thanks to Raju and mijk.

    ===========
    Sorry Raju, I just look like spamer.
    I repost my comment because the previous one is incomplete, you can delete it.

  9. Thank you for this tip. I agree to others above that if you have something to hide then its not worth it. I found a great theme that fits perfect for my company and I was able to successfully decode the footer, replace the numbers in the decoding text with letters I.E: d4v = div (they had this done to trick the code to force the template not to work)

    Thank you again ((Link you provided was bookmarked) πŸ™‚

  10. Nice share, the trick is to download the theme from the original author/designer’s website. Most of theme directories are loading the themes with malicious links using this encode, which a non-technical person won’t be able to identify.

  11. look .i`m tried to decode my footer with your recommended site .but it did not work and get back my own code .how can i solve my problem .plz answer

  12. Hey….hellow unfortunately I cant do this with my code… Can You Help me…??? please reply.. plz plz I’m waiting 4 u.

    thanks

  13. kaka,
    i am new to wordpress,
    i want to remove my footer links in my theme.
    I tried using the decode link u mention in your post.

  14. Wonderful This really is one of the most beneficial blogs I’ve ever browsed on this subject.
    I was very encouraged to find this site. I wanted to thank you for this special read. I definitely savored every little bit of it and I have you bookmarked to check out new stuff you post.

  15. I am trying to decode a footer code from wordpress and I am having a problem. I have tried the links above but the issue that I dont know if I am inputting the right characters from the encoded footer code. what should i do?

    • I can’t comment without knowing what exactly you were trying to decode, but I must tell you that NOT all encoded codes can be decoded, specially if the developer has encoded multiple times.

  16. I have downloaded many themes in various version: word press, HTML. Drupal etc, they were all zip files. I have umzipped them but one theme has come under so many files and I can’t put them together to form the actual site. For the HTML it’s ok. I just go to page and opened it as web page. For the others I am lost. Can anybody help.

Leave a Reply

Your email address will not be published. Required fields are marked *