PHP regex to fix hacked WordPress site

Solution:1

1. Backup database and themes.
2. Remove WordPress.
3. Remove any suspicious files.
4. Install newest WordPress.
5. Keep new WordPress files write protected
6. Slap so-called “administrator” for not updating on time.
7. Profit.

No need for some crazy scripts and whatnot. Hacks on PHP cannot work unless the file is infected. Removing it solved the problem.

And yes, it’s possible to do even if you have multiple wordpress installations on the same server (WHY?!).

Solution:2

Apart from the comments advising a reinstall, the regex question at hand might be greediness. The .*? placeholder ought to match the shortest amount of characters, but sed might have some limitations regarding line length etc. (Not sure.)

But for constraining it further you could use [^>]* in its place:

 's#<?php /\*\*/ eval(base64_decode("aWY[^>]*?>##g'

This will ensure it can’t run over a closing ?>. The base64 couldn’t possibly contain this anyway.