We will explain the process called eval, which is used in more than half of the malware files detected by WordPress Doctor, and how to stop eval.


What is the eval function commonly used in malware?

The eval function is an instruction that, given a string of PHP programs, executes them as-is as PHP programs.
For example, it is used in the following format.

eval("echo 'Hello world';");

If you pass the PHP programming string “echo ‘Hello world’;” to the eval function, it will be interpreted and executed as a program, and the output will be Hello world.

Why is the eval function used by malware?

Because the eval function is a common function used by obfuscation tools in PHP programs, most malware is obfuscated to make it difficult to understand what the program is doing and to make it harder to detect malware. In the process of obfuscation, the eval function is frequently embedded in the code.

Example of malware code using eval

eval(base64_decode('JGJsY. Obfuscated string followed by . .BLCiI7'));

This would account for the high percentage of eval functions being included in malware.

Whether and how to stop the eval function

It is very effective to stop the eval function itself to stop malware activity or to improve security, as the function is very frequently used in malware.
However, is there any problem with the site operation if the eval function is stopped?

The eval function is not currently used in WordPress itself, nor in many plugins. I believe that the current trend in the WordPress world is to disable the eval function as much as possible for security reasons.

However, some popular plugins, such as Tablepress and Mail poet, continue to use it, so if it were to be stopped all together, it could have a negative impact on the operation of the site.

If you want to stop the eval function, it would be better to do an internal search of all PHP files included in WordPress to make sure that the eval( string is not used in the program.

How to stop the eval function

In some cases, the eval function can be stopped using the settings in the server’s administration screen.
On some servers, it may also be possible to stop the eval function by adding the following settings to the php.ini file.

disable_functions = "eval"

If you can change the configuration of the server program (you have root privileges), such as VPS or AWS, you can disable eval by adding the following module to the server.

https://github.com/sjinks/php-disable-eval

*It can inspect and detect malware using the eval function. Please use this service.
[Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

Related Posts:

  1. How do I stop process-resident malware in WordPress?
    Some of today’s malware is of the type that writes an infinite loop (or delayed process) into the server process and resides there....
  2. 5 characteristics of malware files that infect WordPress
    Here are some characteristics of malware files that can infect WordPress. If such a file is found on the server, it is most likely malware....
  3. How to find hidden malware (tampering) in WordPress
    If WordPress redirects you to a different site or disables some features of the administration panel, you may have been infected with malware. In this case, if the malware has been removed and the site keeps re-infecting itself, it is possible that a backdoor, or malicious program, remains somewhere on the site....
  4. If WordPress may be infected with malware (virus or tampering), use the plugin for quick malware inspection and removal.
    When WordPress may be infected with malware (virus or tampering), you can easily use a plugin to inspect and remove malware. The following is a list of the main types of malware behavior on websites and malware scanning and disinfection plug-ins....
  5. Characteristics of malware code when WordPress is tampered with
    We will explain what kind of malware (programs that perform malicious behavior) can be embedded in a site when WordPress is defaced by hackers....
  6. What is a web shell, a type of WordPress malware?
    There have been an increasing number of cases of web shells, a type of WordPress malware, becoming more sophisticated in recent years. We will explain about web shells....