This on its own might be only security done half, but I thought the idea is not that bad to spread the word. It can be normally setup in seconds on the various linux based hostings out there: disable eval.
Most WordPress exploits are used to place Worms or Backdoor scripts onto the server. They turn it into a Web-Drone to hack other Blogs, send Spam, deeper attack your server, store payloads for other attacks and all that stuff. You just do not want that.
Most of the backdoor-scripts I’ve seen on hacked wordpress installations make heavy use of the eval language construct in PHP. So the simple idea is to disable eval. This works well with WordPress, because since some month the code is eval-free™. Related ticket is #9602.
For example this can be done with a PHP Extension called Suhosin:
suhosin.executor.disable_eval = On
The Suhosin configuration can be edited within your php.ini file. If you’re unsure wether or not your changes did work, use phpinfo() to display all the configuration settings (if it’s not disabled 😉 ).
“If eval() is the answer, then you asked the wrong question”.
If you think things can not be done w/o eval, take a look on this sample code I provided to patch wordpress core to remove eval out of permalinks parsing. That eval in there has been used for many wordpress exploits and it was long overdue to be removed.
So again: It’s possible to remove eval very often, just throw it out of your plugins and themes if you have it in there. And do yourself a favor and do not use Themes or Plugins that contain eval.
But I’ve already been hacked!
Especially when your Blog got hacked, this suhosin setting comes in handy. As reported in a previous post, hacked blogs can contain tons of eval-code after being attacked. With that suhosin setting, those attacks are removed w/o actually removing the code. That’s somehow dirty but in case you’ve been attacked, this can save you at least some more headaches in a snap of a second.
Read on: Comprehensive WordPress Guide with many Ideas how to secure a Blog (19 APR 2010).