Is Base64 Code Bad For You?

Writing by Nick Stamoulis Tweet

Base64 code derives its name from the fact that it uses only 64 characters. MIME-based (Multipurpose Internet Mail Extensions), Base64 uses only A-Z, a-z, 0-9 and the “+” and “/” symbols. That’s 64 characters, hence the name.

In and of itself, Base64 is not bad. It has its practical uses. One of its widest applications is in embedding binary files such as images within scripts. This allows a coder to include the photo on the page rather than in an external file. It is also used to store passwords for encryption.

The problem with Base64 encoding is its strengths are also its weaknesses. Because it is useful in obfuscating passwords and embedding binary files within scripts, it is easy for spammers and malware distributors to use as well. In fact, this is often precisely what they do. And they do from within your WordPress themes. Some WordPress developers have figured out that they can use Base64 to embed a delayed script within the footer of your WordPress theme that is activated once so many downloads of that theme have been distributed. Then, you have a malware problem.

Other theme developers sell links that are placed within WordPress theme footers. You can’t see them because they stored inside a Base64 encoding string. It looks like one link to the naked eye, but in reality it could be linking to half a dozen or more websites. Even if those sites are all good and pose no threats, it’s still not something you want to do, right?

Well, there is a solution to this problem. You can download the Theme Authenticity Checker for WordPress and detect these Base64 strings that link to sites you do not want to endorse. You can then either delete those links from your blog’s footer or find a new theme. Either way, you rid yourself of unwanted Base64 code.