[How to] Decode an Encoded PHP Script in WordPress Themes

by: - Last updated on: December 17th, 2016

php logo

I adore WordPress themes! And I like to download and test the themes (free ones) frequently. Few days back I bumped across a plugin – TAC (Theme Authenticity Checker) which checks for any malicious code in the WordPress themes present in /wp-content/themes folder.

When I ran TAC today, I found that couple of the themes I downloaded yesterday (name withheld) were having some encoded string in the Footer section. TAC projected them as potential threats since some malicious code could have been injected and encoded. The code looked something like this


echo(base64_decode(“PGRpdiBjbGFzcz0iZm9vdGVy
Ij4NCiAgPGRpdiBjbGFzcz0iZm9vdGVyX3R4dCI+IA0KICAgIDxw
PiBEZXNpZ25lZCBieTogPGEgaHJlZj0iaHR0cDovL3d3dy
50YWxrcmV2aWV3cy5jb20vdG9wLXNp
dGVzIj5Ub3AgV2Vic2l0ZSBSZXZpZXdzPC9hPiA8L3A+
DQoNCiAgICA8cD4NCiAgICAgIDxhIGhy
g0KDQo=”))

I started looking out for a tool which can decode this encoded string for me. And I found out this page which can encode as well decode! There is a radio button at the bottom where you need to select the decode option. The output decoded data will be displayed in the same screen within few seconds!

Just replace the encoded code with the decoded one and the theme will continue to work like a charm!

Link: Base-64-encoder-decoder

Mirror: Base-64 decoder

Also try this : OpionatedGeek decoder tool

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. I have downloaded many themes in various version: word press, HTML. Drupal etc, they were all zip files. I have umzipped them but one theme has come under so many files and I can’t put them together to form the actual site. For the HTML it’s ok. I just go to page and opened it as web page. For the others I am lost. Can anybody help.