A new type of malware has been reported that illegally installs a plugin that can execute PHP code in WordPress and embeds malware in the database.


Unauthorized installation of a plugin that allows you to run PHP code from the WordPress admin screen on any fixed page or post.

According to Sucuri, there has been an increase in the number of cases in which hackers have taken over WordPress administrator privileges through brute force attacks or by exploiting vulnerabilities to install plug-ins that can execute PHP code from the WordPress administration screen and embed the malicious code in the database. This is a new issue.

How the Eval PHP plugin works

There are several plugins that allow you to execute PHP code from the WordPress admin panel.
These plug-ins are designed to embed and execute PHP code in any WordPress page, and do not themselves contain any malicious programs, nor are they distributed from the official site without any problems.

Eval PHP

PHP Everywhere

PHPEval

However, since these plugins store and execute PHP code in the WordPress database, it would be possible for hackers to embed and execute malicious programs in the database if they have already successfully infiltrated the site.

Since the WordPress database is a part of the site where few malware infections have been reported so far, many plugins are not checked for malware.

How to deal with malware via Eval PHP plug-ins

Here are some tips on how to deal with this type of malware.

1 Check to see if any unrecognized EVAL PHP plug-ins are installed, and if so, deactivate and remove them.

2 Use a plugin that can also scan databases for malware and remove it.

Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

3 If it is clear that you have been infected with this type of malware, it means that a vulnerability has been exploited or administrative privileges have been seized and you have already allowed hackers to enter your system.

Therefore, in addition to malware detection and removal using the plug-ins mentioned above, the following measures are necessary.

1 Identify and remove unauthorized users.
2 Change passwords of users with administrative privileges
3 Update plug-ins and WordPress

Reference Articles
5 Free WordPress Security Measures

Related Posts:

  1. 10 files in which malformed JAVASCRIPT code is embedded when WordPress is tampered with.
    This section describes a file in which redirect hack code is often embedded, which causes a WordPress-created site to jump to another site when accessed (redirect)....
  2. How to find JAVASCRIPT Injection in WordPress
    If your WordPress site has been hacked and you think you have removed the tampering, but the site still redirects (forcibly) to another site, the malformed JAVASCRIPT code may still be there somewhere....
  3. Vulnerability in tagDiv Composer plugin bundled with WordPress Newspaper theme allows database rewriting
    A vulnerability in tagDiv Composer, a plugin included with the WordPress Newspaper theme, has been discovered that allows the database to be rewritten....
  4. 10 unauthorized WordPress access files
    Here are the most common unauthorized accesses that hackers target WordPress as of September 2023....
  5. Change WordPress database prefix to prevent SQL injection
    You can reduce the chances of a successful SQL injection by changing the prefix of your WordPress database. We will explain how to do this....
  6. What is Japanese SEO Spam, a type of WordPress malware?
    We will explain about Japanese SEO Spam, which is a malware that embeds fake Japanese product sites in WordPress....