Cybersecurity researchers at GoDaddy-owned web security firm Sucuri has found that a legitimate WordPress plugin that’s no longer active has been taken over by hackers and is now compromising websites.
Eval PHP - a plugin designed to allow users to add PHP code into articles and blog data - looks to have been last updated a decade ago and has had minimal to no downloads recorded over the past 10 years.
The past month has seen interest in Eval PHP surge to the sum of over 100,000 downloads, with a peak of up to 7,000 downloads per day.
Eval PHP hack
The Sucuri notice details that the code “uses the file_put_contents function to create a PHP script into the docroot of the website with the specified remote code execution backdoor.”
Because the backdoor uses $_REQUEST[id] to obtain the executable PHP code, which contains the contents of $_GET, $_POST, and $_COOKIE, it can conceal its parameters by masking as cookies. GET is less detectable than POST, but no less dangerous, says Sucuri.
The findings also uncover that the backdoors are created across multiple posts saved as drafts, thus they are not publicly visible, nor are they as obvious to find as live pages.
WordPress did not immediately respond to TechRadar Pro’s request for comment on its policy regarding abandoned plugins. For now, Sucuri urges WordPress users to secure their wp-admin panel and to monitor activity. The security firm advises four specific actions:
- Keep your website patched and up to date with the latest security releases
- Place your admin panel behind 2FA or some other access restriction
- Have a regular website backup service running for a rainy day
- Use a web application firewall to block bad bots and virtually patch known vulnerabilities
- Don’t fancy setting yourself up on WordPress? Here are the best free website builders