Suddenly all kind of Wordpress sites show very strange code in the header.php and index.php files. It is across several servers so looks like someone really got ahold of all my server details.

The code inserted in the header looks like this:

What can this be? And any tips on how to get rid of this problem (I am talking about like 50 sites here..)

I tried decoding the code in all kinds of decoders but nothing got it decoded..

It does sound like a hack. I don't think you are the first as there is a thread at wordpress.org about this: https://wordpress.org/support/topic/headerphp-hacked-need-advice-have-tried-everything

There is a very strong probability that you are hacked. But the interesting part should be to check how they got into the system. First thing that comes to my mind seeing all the code is the use of nulled themes and plugins. Often times one might install plugins from unknown sources, there is a reasonable amount of propability that these plugins might have been altered by some user. So you might have not been hacked by a live hacker, which would have been annoying.

Try copying the red part (string) and decoding it with php's base64_decode function, 90% of the hackers use base64_decode and eval function to obfuscate their code. Mostly this obfuscated code is used to add a form field where they can then upload a file which is directly executed.

The only solution is to change the passwords, find the code thats responsible and remove it from all over your site (try multiple file search and replace). Install a good firewall, i like wordfence. If possible use a 2nd degree of verification, something like an sms or google account. Dont install nulled themes and plugins.

This is definitely hacked. I work with this type of problem every day.

Omer Farooq is correct in that using Nulled themes / plugins WILL lead to backdoors on your site - especially the CryptoPHP backdoor.

Anything that is encrypted should be mistrusted and investigated further. You may not always be able to decrypt it as hackers sometimes use more than one layer of encryption to obfuscate their code. This is in an effort to fool 'security plugins' (note the '' as I have yet to find one that actually works) as they tend to scan for code signatures. They are thus easily fooled.

Solution:

Download a clean copy of Wordpress and extract it to a folder. Now view that folder side-by-side with the contents of your website's home directory. You may find one or two files starting with wp_ that should not be there. View the code - if it is encrypted, remove it. Also check the time stamps on all files and folders as it will give you an idea of what was changed.

When everything else fails, contact me for assistance.

Most Wordpress hacks exploits outdated plugins. You should always update them. Unfortunately, Wordpress is well know for this types of hacking.

Only one time, i had an issue where hosting provider servers were compromised. This is really weird.

If I were in your shoes, i would,

1. Make a database backup
2. Make a file backup (just in case)
3. Delete all files
4. Reinstall latest version of Wordpress
5. Import database (make sure posts were not compromised or if there are users that you don't recognize, remove them)
6. Install latest plugins
7. Install theme (if needed)

Also i would setup the compromised website in a virtual machine (locally) and learn how you get compromised (optional)