How to Get Rid of the Base_64 PHP Virus Hack on your WordPress Site/Blog

Yesterday our WordPress site along with 3 of our clients WordPress sites were all attacked and hacked by the annoying base_64 php virus. This is not the first time we have crossed paths with this annoying virus and most likely it won’t be the last, which is why we decided to help the fellow WordPress community by providing this tutorial on how to get rid of the virus.

The base_64 php virus inserts an insanely long php script to the top of all php files on your server. This php script will then forward visitors to another website where the virus is actually stored which then infects their computer in the form of Trojan Horse viruses. We aren’t sure if there are different websites that the virus can forward you to but in our case it sent users to:

Unfortunately there is really only one solution to get rid of the base_64 php virus, reinstall WordPress with clean files. In this tutorial we will show you the 6 major steps for getting rid of this nasty virus.

Please Note:
This tutorial should not be performed by somebody who is not comfortable with creating database backups, uninstalling and installing WordPress, using an FTP program, or general usage of WordPress. If you feel that you can not complete this tutorial please do not try, contact us at 1-888-987-1961 or fill out our contact form to receive a quote on getting rid of the base_64 php virus. Please serious inquiries only.

STEP 1: Run Virus Scan on Your Computer

Before moving on to the next steps you first must make sure that your computer is clean and free from the virus, run virus and malware scans on your computer to get rid of the actual downloaded virus.

STEP 2: Change Passwords

The next step after cleaning your computer of any trace of the virus is to change all passwords for both your server’s FTP and WordPress. You should also add a temporary index.htm file to the root of your website informing visitors that your site is currently undergoing maintenance and to check back later.

STEP 3: Back Up Clean Files and Database

Theme Folder – Make sure that you have a clean version of your theme’s template files. If you do not have a clean version then you will need to copy all of your theme’s template files from your server using a “File Manager” or FTP program. Once you have all of your theme’s files you will then need to delete the php script located at the top of every php file.

Plugins – Unfortunately all of your plugins are also infected, write down the name of every plugin you have installed, you will need to reinstall them all in step 5.

Uploads Folder & Gallery Folder – These folders are used to store all of the images you have uploaded to your WordPress site/blog and are located at wp-content/uploads. Luckily images don’t seem to get infected by the virus so we will just make a backup of all of these files/folders. Using a “File Manager” or FTP program copy all of these files/folders onto your CPU from your server.

Database – Another lucky break, the database also doesn’t seem to get hurt during the attack. We are currently using GoDaddy, check below to see how to back up a GoDaddy database:

Log into your GoDaddy account > Go to Hosting > Manage Your Website > Databases Tab > MYSQL > Click the edit pencil for your database > Click Backup.

The backup can take anywhere from 20 minutes to 2 hours. Once the backup is complete, it will then install a copy of the database onto your server, you should also ‘right click’ and save a direct copy to your computer just to be safe.

STEP 4: Start Deleting

Uninstall WordPress – Once again please note that these instructions are for GoDaddy:

Log into your GoDaddy Account > Go to Hosting > Manage Your Website > Your Applications > On the right hand side find your WordPress install, Click It > Uninstall.

This will also delete your database so make sure that you have backed it up in the previous step.

Left Over Files – Once the uninstall is complete, go onto your server and make sure that all of the WordPress files/folders have been deleted. Also make sure to double check the entire server and make sure that there are no other php files anywhere on it. If you find any other php files download them and delete the php script at the top, then put them back onto your server.

STEP 5: Reinstall Everything

WordPress Install – Install WordPress. If your last install was located in a certain folder, be sure to use the same folder name on this install.

Upload All Files and Folders – First upload your clean “theme” folder > then upload or install all of the plugins you wrote down earlier > finally upload all of the Uploads & Gallery files/folders. Make sure that you put everything in the same place as the previous install before the attack.

Import Old Database – The same place that you went to back up your database is the same place you will go to import it. The database import should take around 30 minutes to an hour to complete.

STEP 6: Check Your Entire Site

After completing Steps 1 through 5, your WordPress site/blog should be back up and running virus free. Recheck your entire site to make sure everything is functioning properly and to make sure there are no traces of the virus hiding somewhere.

Please Note:
This tutorial was created out of our experience with the base_64 php virus and we take no responsibility for any problems you may encounter while following this tutorial. These steps have been proven to work for us but you must make sure they are followed exactly, results may vary. If you know of any better or easier ways to get rid of this base_64 php virus, please let us know by leaving a comment.