How to Remove Suspicious Code From WordPress Sites
The WordPress Security Learning Center
How to Remove Suspicious Code From WordPress Sites

3.9: How to Remove Suspicious Code From WordPress Sites

Advanced
Updated October 21, 2020

What is suspicious code?

Suspicious code is code that matches general malware practices, but may not fit into a specific category of malicious intent. Suspicious code may have nothing inherently malicious within it, however, it matches patterns of either functional usage or obfuscation (intentionally obscure to make code ambiguous) that are often malicious. Suspicious code should be examined more carefully to determine if there are valid reasons for using the methods within the code.

Determining if your site is infected

If your site has suspicious code within it, it does not necessarily mean that your site is infected. You’ll need to analyze the code on your site to determine if it has been placed with malicious intent or if it is functional code that is integral to your site’s operation.

Finding and Removing Suspicious Code

Removal of suspicious code usually requires a deep understanding of coding methodologies and functions and determining if the suspicious usage of functions or obfuscation is warranted or valid. Suspicious code can be found in a site’s core, theme, or plugin files, and it can also be found within database content.

Here are some samples of suspicious code that we’ve found on sites. Remember, this does not necessarily mean that the code is malicious.

Samples of non malicious suspicious code

Most non malicious suspicious code is using some obfuscation technique using base64_decode(); function.

Obfuscated theme options. Many premium themes come with obfuscated options embedded within the theme. The theme options are hidden with

Obfuscated variable names. [“\x64\x63\x66j\x68t\x68”] is actually a variable in a premium plugin that decodes to [“dcfjhth”]. It is not malicious.

Samples of malicious suspicious code

This code contains an array that basically rewrites variable names into unintelligible language to hide the functionality of the script. By reviewing the code, you wouldn’t be able to tell that this is malicious mailer script without reviewing the code more in depth.

function v78ZFAX($vJOJJ7T, $vRJ8WGX){$vM74216 = ''; for($i=0; $i < strlen($vJOJJ7T); $i++){$vM74216 .= isset($vRJ8WGX[$vJOJJ7T[$i]]) ? $vRJ8WGX[$vJOJJ7T[$i]] : $vJOJJ7T[$i];}
return base64_decode($vM74216);}

Suspicious code is often obfuscated using base64_decode functionality.

ev​al(base​64_de​code("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHRydW09aGVh

You might even see the base64_decode function reversed.

str_rev(edoced_46esab('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJHRydW09aGVh

Often, suspicious code attempts to hide itself from detection by turning off any error reporting.

error_reporting(0); or error_reporting(E_ERROR | E_WARNING | E_PARSE); or ini_set('display_errors', "0");

Comparing files with core

A good method of analyzing suspicious code is comparing plugin or theme files on your site with the originals from the developer.

If the code is within your database, you can look at the code around the suspicious code to determine if it is valid or not.

If after reading this guide, you are unsure if the suspicious code is valid or malicious, get help.

Did you enjoy this post? Share it!

The WordPress Security Learning Center

From WordPress security fundamentals to expert developer resources, this learning center is meant for every skill level. Get serious about WordPress Security, start right here.