URGENT: Wordfence identified one of the theme files as potential malware!!!

  • Today, I updated the evolve theme on my site to the latest version and also installed the redux framework plugin it recommended.

    A few minutes ago, Wordfence completed its daily scan of my website and I got the following notice:

    This file may contain malicious executable code:
    …/wp-content/themes/evolve/library/admin/redux-extensions/extensions/vendor_support/vendor/ace_editor/mode-php.js

    This file is a PHP executable file and contains an eval() function and base64() decoding function on the same line. This is a common technique used by hackers to hide and execute code.

    Can you please explain? Is your code secure or did you have a breach?

Viewing 6 replies - 1 through 6 (of 6 total)

  • I just updated as well, and would also like to know the answer to this.

    as we use embedded redux framework in our theme, and it passes the wp check procedure and it’s downloaded hundred of thousand times there is no need to worry. it’s safe.

    Ok so you say it is safe and it most likely is but we still get the Warning from Wordfence. There must be a reason?

    Hi Manfredk,

    Wordfence is a plugin that scans for coding pattern and functions that could be used by hackers.

    The PHP function eval https://php.net/manual/en/function.eval.php as well as base64_decode https://php.net/manual/en/function.base64-decode.php are all built in PHP core functions.

    The Wordfence plugin does not have artificial intelligence, it is not able to differentiate if those functions are put to good use or bad use. It can only show you warning when it detects them, so that you can get a programmer to look at it, to determine if it is malicious code.

    In this case, the Author of Evolve Theme, has step out and say that it is safe, and it has also passed WordPress checks, and the Theme is still available for downloading. So we can say that it is safe to use.

    Thanks!

    Lead dev of Redux here. I just wanted to help you all understand what is going on here.

    First, Ace Editor is an open source project used by endless companies on the net. You can see details about it here: https://ace.c9.io/

    The Wordfence is giving a PHP flag error for a JavaScript file, which means it’s just mass searching for strings using regex. If you search the source of the file in question (https://github.com/ajaxorg/ace/blob/master/lib/ace/mode/php/php.js). you’ll see that there is NO eval() anywhere, but there is reference to the EVAL name. Which means they’re just searching for eval, not eval( or eval (.

    My suggestion is you contact Wordfence and suggest to them to improve their regex, so that something as simple as this does not cause an error. For truly, this is a false alarm.

    Best of luck!

    Hi Dovy & Denzel
    Thank you for the Explanation. It makes sense. I continue to use both Redux and Wordfence.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘URGENT: Wordfence identified one of the theme files as potential malware!!!’ is closed to new replies.

Tags