This old WordPress plugin is being used to hack compromised websites

Keep an eye on your wp-admin

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Update: The WordPress Plugin Team has confirmed to TechRadar Pro that the Eval PHP plugin has been closed, citing concerns over its usage on compromised sites, its age, and the number of active installations before the attacks.

Cybersecurity researchers at GoDaddy-owned web security firm Sucuri has found that a legitimateWordPress pluginthat’s no longer active has been taken over by hackers and is now compromising websites.

Eval PHP - a plugin designed to allow users to add PHP code into articles and blog data - looks to have been last updated a decade ago and has had minimal to no downloads recorded over the past 10 years.

The past month has seen interest in Eval PHP surge to the sum of over 100,000 downloads, with a peak of up to 7,000 downloads per day.

Eval PHP hack

The Sucurinoticedetails that the code “uses the file_put_contents function to create a PHP script into the docroot of the website with the specified remote code execution backdoor.”

Because the backdoor uses $_REQUEST[id] to obtain the executable PHP code, which contains the contents of $_GET, $_POST, and $_COOKIE, it can conceal its parameters by masking as cookies. GET is less detectable than POST, but no less dangerous, says Sucuri.

These are the best malware removal tools>WordPress sites are being attacked with another major plugin hack>WordPress force updates thousands of websites following WooCommerce security breach

The findings also uncover that the backdoors are created across multiple posts saved as drafts, thus they are not publicly visible, nor are they as obvious to find as live pages.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Sucuri urgesWordPressusers to secure their wp-admin panel and to monitor activity. The security firm advises four specific actions:

The WordPress Plugin Team toldTechRadar Pro:

“WordPress plugins are third-party software created by independent developers and organizations to extend the functionality of the WordPress CMS. Security is ultimately the responsibility of the plugin developer(s), and thePlugin teamencourages this to the best of its ability.

The WordPress project urges all code in the directory to be as secure as possible, maintained, and updated. To this end,guidelinesexist for plugin authors to consult before submitting plugins to the directory. All developers are expected to abide by these guidelines andsecurity best practices.

Should a plugin be found orreportedto have security issues, it will be preemptively closed until the situation is resolved. In extreme cases, the plugin may be updated by the WordPress Security team and propagated for the general public’s safety.

While the project doesn’t officially comment on third-party plugins, it is worth clarifying that there is no reported vulnerability issue in the Eval PHP WordPress plugin. The fact that it has not been updated does not necessarily indicate that it is not active and, in this case, does not seem to be the source of the attack itself, as hackers still need administrator access to websites to install any plugins. Once a site is compromised, they can use this or other re-infection methods to inject backdoors into the database. Hence the importance of complying with all recommended security practices to prevent sites from being compromised.”

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Your doctor may have an AI assistant taking notes during your next Zoom call