What are these eval warnings?

Why is defender pro starting to give me suspicious file warnings for “eval”

(The function eval called at line 66 column 14, which should be avoided whenever possible.)

Is it not safe or what? A lot of my 3rd party plugins show up as having that so what should I do, do I have to contact each plugin dev & tell them to stop using that?

  • Ash
    • WordPress Hacker

    Hello Jonathan

    When you use eval function, you don’t know what’s going on there. Some nulled plugins and bad developers (I would not call them developers) use that function to put malicious code in your plugin. But still, eval is needed for some purpose. So you should use plugins from trusted authors. You can read more here: https://stackoverflow.com/questions/951373/when-is-eval-evil-in-php

    Anyway, defender scans your files and check if there is any functions like this. If you get any eval notification, then you may ask the plugin author to check if that is okay. If the plugin author is not trusted, I recommend not to use that plugin, but still it’s your call.

    Hope it helps! Please feel free to ask more questions if you have any.

    Have a nice day!



    • Jonathan
      • A Tiger In Human Form

      I am contacting the plugin devs one of them said it’s a google calander function put in by Google not them, does this look like I can safely ignore?

      eval('$func = function ($_action, &$self, $_text) { ' . $init_crypt . 'if ($_action == "encrypt") { ' . $encrypt . ' } else { ' . $decrypt . ' } };');

  • Nithin
    • Support Wizard

    Hi Jonathan,

    It looks more like a false positive. If the plugin developer has confirmed it’s safe then it should be fine, and you can mark the Scan results for the reported function as “Ignore”.

    What Defender Pro Scan does is highlight wherever eval() function is used, so that the admin is aware of such functions, as there are chances eval functions could be exploited, but when used correctly it should be fine.

    To double check, you can compare with the latest version of your plugin, with the reported file, and if they are same once comapred, then it should be more of a false positive, and you can Ignore the scan result.

    I hope it’s clear. Please let us know if you have any further query. Have a nice day ahead.

    Best Regards,


Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.