Security

WordPress Security: How to Secure WordPress Security using Snuffleapagus

August 30, 2024

Dede Nugroho

Improving Wordpress Security Using Snuffleupagus

Background

Today we will learn to Improving WordPress Security. A few days ago, one of our client’s websites got hacked. They changed the main page to show gambling site. We looked closely at the website’s files and found some backdoors that the attackers put there. These hidden doors let them get into the website whenever they want.

When we looked at the code of these hidden doors, we saw eval() function. This function is dangerous because it can run any code the attacker wants.

WPSora - eval

Disabled Function

I remember clearly that I had already put the eval() function into the disabled_functions list in the configuration.

WPSora - Disabled Function

But that eval function could still be run.

Eval isn’t a function

After that, I found an answer that said eval is actually a language construct, not a function. This means it’s a built-in part of PHP itself, like include and require. Because of this, the disabled_functions setting doesn’t affect eval.This makes sense.

How do we disabled this eval ?

Then I thought about how we could disabled this eval. After searching and looking around for alternatives to disabled_functions, I found a security extension for PHP called Snuffleupagus. Here are the rules to disable the eval function using Snuffleupagus:

sp.disable_function.function(eval).drop()

Saved on /etc/php/7.4/fpm/default.rules

Then we applied to FPM Config, so it’s look like this

php_admin_value[sp.configuration_file] = /etc/php/7.4/fpm/rules/default.rules

Results

Here is the comparison

Without Snuffleupagus

WPSora - Eval Excetuion

With Snuffleupagus

WPSora - Snuffleupagus

As you can see, Snuffleupagus can block that eval function, which disabled_function in the config can’t do. There are many more useful features that can strengthen the security of your PHP code.

Conclusion

So that’s how to Improving WordPress Security, We’ve seen how Snuffleupagus can make PHP code safer. It can block dangerous functions like eval that normal PHP settings can’t.If you’re running PHP websites or apps, it’s worth looking into Snuffleupagus. Check out their documentation to learn more about what it can do.

Remember, good security means always looking for better ways to protect your application.

By using tools like Snuffleupagus, you can make your PHP Project much harder for attackers to break into. It’s an extra step that can make a big difference in keeping your sites and data safe.

Author

  • Dede Nugroho WPSora

    Hi, I'm Dede Nugroho. I enjoy sharing what I know with others. I'm passionate about security and have experience developing WordPress plugins

    View all posts

Ready to Transform Your Business? Take the First Step Today!

Empower your business with the tools it deserves. Whether it’s simplifying workflows, boosting productivity, or scaling effortlessly, the right solutions can make all the difference.

Download Invoize now

All client financial account data is securely stored on the respective third-party platforms (such as PayPal, Wise, or Direct Payment).Credit card payments are available upon request.
Your financial account is fully protected. We never store or access any client financial data, ensuring complete privacy and security.

Quick Link

Our product

Resource

Compare

Legal

WPSora-circular

Copyright © 2025 WPSora By WPSora. All rights reserved.

Scroll to Top
Your Email could not be saved. Please try again.
Your email is on its way to your inbox. Don’t forget to check it!

Download Invoize now 

✓ Beautifully designed templates
✓ Powerful features for freelancers and businesses
✓ Manage invoices anytime, anywhere

Your invoicing solution is just one click away!"