We will explain the process called eval, which is used in more than half of the malware files detected by WordPress Doctor, and how to stop eval.
What is the eval function commonly used in malware?
The eval function is an instruction that, given a string of PHP programs, executes them as-is as PHP programs.
For example, it is used in the following format.
eval("echo 'Hello world';");
If you pass the PHP programming string “echo ‘Hello world’;” to the eval function, it will be interpreted and executed as a program, and the output will be Hello world.
Why is the eval function used by malware?
Because the eval function is a common function used by obfuscation tools in PHP programs, most malware is obfuscated to make it difficult to understand what the program is doing and to make it harder to detect malware. In the process of obfuscation, the eval function is frequently embedded in the code.
Example of malware code using eval
eval(base64_decode('JGJsY. Obfuscated string followed by . .BLCiI7'));
This would account for the high percentage of eval functions being included in malware.
Whether and how to stop the eval function
It is very effective to stop the eval function itself to stop malware activity or to improve security, as the function is very frequently used in malware.
However, is there any problem with the site operation if the eval function is stopped?
The eval function is not currently used in WordPress itself, nor in many plugins. I believe that the current trend in the WordPress world is to disable the eval function as much as possible for security reasons.
However, some popular plugins, such as Tablepress and Mail poet, continue to use it, so if it were to be stopped all together, it could have a negative impact on the operation of the site.
If you want to stop the eval function, it would be better to do an internal search of all PHP files included in WordPress to make sure that the eval( string is not used in the program.
How to stop the eval function
In some cases, the eval function can be stopped using the settings in the server’s administration screen.
On some servers, it may also be possible to stop the eval function by adding the following settings to the php.ini file.
disable_functions = "eval"
If you can change the configuration of the server program (you have root privileges), such as VPS or AWS, you can disable eval by adding the following module to the server.
https://github.com/sjinks/php-disable-eval
*It can inspect and detect malware using the eval function. Please use this service.
[Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].