I received a report from someone that on of my plugins contained malicious code, detected by Wordfence.
This file is a PHP executable file and contains the word ‘eval’ (without quotes) and the word ‘urldecode’ (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans.
Now I looked into the code (it's part of a library, not my code), and there's no eval function in it. There is an
$eval string in there, but that's completely harmless of course. Is there a possibility to detect whether it's actually a function and not a variable?