This old WordPress plugin is being used to hack compromised websites

Wordpress brand logo on computer screen. Man typing on the keyboard.
(Image credit: Shutterstock/David MG)

Update: The WordPress Plugin Team has confirmed to TechRadar Pro that the Eval PHP plugin has been closed, citing concerns over its usage on compromised sites, its age, and the number of active installations before the attacks. 

Cybersecurity researchers at GoDaddy-owned web security firm Sucuri has found that a legitimate WordPress plugin that’s no longer active has been taken over by hackers and is now compromising websites.

Eval PHP - a plugin designed to allow users to add PHP code into articles and blog data - looks to have been last updated a decade ago and has had minimal to no downloads recorded over the past 10 years.

The past month has seen interest in Eval PHP surge to the sum of over 100,000 downloads, with a peak of up to 7,000 downloads per day. 

Eval PHP hack

The Sucuri notice details that the code “uses the file_put_contents function to create a PHP script into the docroot of the website with the specified remote code execution backdoor.”

Because the backdoor uses $_REQUEST[id] to obtain the executable PHP code, which contains the contents of $_GET, $_POST, and $_COOKIE, it can conceal its parameters by masking as cookies. GET is less detectable than POST, but no less dangerous, says Sucuri.

The findings also uncover that the backdoors are created across multiple posts saved as drafts, thus they are not publicly visible, nor are they as obvious to find as live pages.

Sucuri urges WordPress users to secure their wp-admin panel and to monitor activity. The security firm advises four specific actions:

  • Keep your website patched and up to date with the latest security releases
  • Place your admin panel behind 2FA or some other access restriction
  • Have a regular website backup service running for a rainy day
  • Use a web application firewall to block bad bots and virtually patch known vulnerabilities

The WordPress Plugin Team told TechRadar Pro:

"WordPress plugins are third-party software created by independent developers and organizations to extend the functionality of the WordPress CMS. Security is ultimately the responsibility of the plugin developer(s), and the Plugin team encourages this to the best of its ability.

The WordPress project urges all code in the directory to be as secure as possible, maintained, and updated. To this end, guidelines exist for plugin authors to consult before submitting plugins to the directory. All developers are expected to abide by these guidelines and security best practices.

Should a plugin be found or reported to have security issues, it will be preemptively closed until the situation is resolved. In extreme cases, the plugin may be updated by the WordPress Security team and propagated for the general public's safety.

While the project doesn’t officially comment on third-party plugins, it is worth clarifying that there is no reported vulnerability issue in the Eval PHP WordPress plugin. The fact that it has not been updated does not necessarily indicate that it is not active and, in this case, does not seem to be the source of the attack itself, as hackers still need administrator access to websites to install any plugins. Once a site is compromised, they can use this or other re-infection methods to inject backdoors into the database. Hence the importance of complying with all recommended security practices to prevent sites from being compromised."

Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!