Eval is one of the most dangerous utilities in php, as it can be used to execute arbitriary code, which can lead to unpredictable consequences. Attackers can use this language construct to inject malicious code into your web server and potentially gain access through it. There are many bad bots that try to utilize eval() to include or access your web server files. These are known as file inclusion attacks, which can lead to sensitive data exposure, remote code execution, or complete control over the server. Even if these attacks do not manage to compromize the security of your web server, they can still do harm to your server, as attackers may send too many requests at once, leading to server downtime. If you are running a WordPress website, chances are you don’t need eval() and you should disable it. Most of the tutorials in the internet do not get it right, however, in this guide, I will show you a reliable method that completely disables eval() in php and restricts naughty hackers from harming your server.
How to disable eval() in php
Most of the tutorials in the internet suggest to add it to the disable_functions property in php.ini file:
disable_functions = "exec, system, eval"
However, this is not so easy with eval() because, technically, it is not a php function, it is a language construct! Simply adding it to the disable_function
would be pointless and hackers will continue to try to exploit your web server. The good news is there is an alternative method and it is to use a php extension called PHP Evil. Don’t get confused by the name of the extension – it is a good extension not evil. In fact, it is a life-saver. It works for servers that run php >= 8.0. (For older versions of php, you can try the Suhosin extension)
1. Download PHP Evil source code
Go to the extensions folder of your php installation (you can check extension_dir
in phpinfo
if you don’t know where that is) and clone the source repo:
git clone https://github.com/frontdevops/php-evil
After that, prepare the code for compiling:
cd php-evil
phpize
Then, compile the php extension:
./configure --enable-hide-presence
make && make install
Finally, add the extension to the php.ini:
extension=evil.so
Finally, restart php and check if phpinfo file has been updated. It should show the following
Note: If you are using OPcache php extenision, you might run into a warning: “PHP Warning: JIT is incompatible with third party extensions that override zend_execute_ex(). JIT disabled. in Unknown on line 0” Unfortunately, i did not find an easy way to use both extensions together, so the quick solution for that is to just disable opcache by removing it from the php.ini file.
Disclaimer: After disabling eval(), check if your site continues to work as expected. In general, if a plugin or a theme relies on eval, then it creates a security risk for you and you should get rid of it immediately, However, if for some reason you are stuck with code that depends on eval, disabling it might break the existing functionality of your site.