How to Fix the WordPress White Screen of Death Caused by “Zeura” Malware
Is your WordPress site suddenly showing a blank white page? This phenomenon, known as the WordPress White Screen of Death (WSOD), is terrifying for site owners. While plugins or themes are usually the culprits, a specific type of WordPress malware is increasingly responsible for this crash.
In this post, we analyze a specific malware sample (often tagged as “PHP Encode by zeura.com”), decode how it works, and provide a step-by-step guide on how to fix WordPress White Screen of Death malware and secure your site.
The Symptom: Why Malware Causes the White Screen of Death
The White Screen of Death usually indicates a PHP error that stops the script from executing, but “Display Errors” is turned off in your WordPress configuration.
Malware causes this for three primary reasons:
- PHP Version Incompatibility: The malware is old and uses functions (like
create_function) that have been removed in newer versions of PHP (8.0+). When the malware tries to run, it triggers a fatal error. - Syntax Errors: The hackers often copy-paste obfuscated code incorrectly. A single missing semicolon in the injected code crashes the entire site.
- Resource Exhaustion: The malware may try to send thousands of spam emails or mine crypto, exhausting your server’s memory limit.
Anatomy of the “Zeura” Malware Sample
We recently analyzed a malware sample often found in the header.php or index.php of infected themes. Here is the raw code structure:
<?php /*** PHP Encode v1.0 by zeura.com ***/
$XnNhAWEnhoiqwciqpoHH=file(__FILE__);
eval(base64_decode("aWYoIWZ1bmN0aW9uX2V4..."));
eval(base64_decode(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH)));
eval(ZsldkfhGYU87iyihdfsow(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,2),YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,1)));
__halt_compiler();
// ... [Encrypted Binary Data follows here] ...
Decoding the Malware: How It Works
This is a Self-Extracting Dropper. It doesn’t look like normal code because it hides its malicious logic inside the file itself, usually after the __halt_compiler(); command.
Here is the step-by-step technical breakdown of the obfuscation:
- File Read (
file(__FILE__)):
The variable$XnNhAWEnhoiqwciqpoHHreads the content of the current file into an array. It effectively reads its own source code. - The First Layer (
YiunIUY76bBhuhNYIO8):
The firstevaldecodes a Base64 string which creates a helper function. This function is a slicer. It looks at the file array and grabs specific lines of code defined by offsets (e.g., lines 655 to 800). - The Second Layer (
ZsldkfhGYU87iyihdfsow):
The script runs a secondevalto create another function. This function is the inflator. It usually performsgzinflate(base64_decode($data)). - The Payload Execution:
The final line executes the logic:- It grabs the gibberish data stored after
__halt_compiler();. - It passes it through the inflator function.
- It
evals(executes) the result.
- It grabs the gibberish data stored after
What is inside the payload?
Once decoded, this specific malware usually reveals a PHP Web Shell (Backdoor) or a Link Injector. It allows the attacker to modify files remotely, inject spam links (pharmaceuticals, casinos) into your footer, or redirect your visitors to scam sites.
Step-by-Step: WordPress Malware Removal Guide
If your site has the White Screen of Death, follow these steps to clean WordPress site infected with malware.
Step 1: Access Your Server via FTP
Since the dashboard is inaccessible (WSOD), you must use an FTP client (like FileZilla) or your hosting control panel’s File Manager.
Step 2: Check index.php and wp-config.php
This specific “zeura” malware often infects the root index.php or wp-config.php.
- Open
index.phpin the root folder. - Look for the
<?php /*** PHP Encode v1.0 by zeura.com ***/line at the very top. - The Fix: Compare the file with a clean version from the official WordPress.org repository. Usually, the default
index.phpis very short. If you see a massive block of base64 text, replace the file entirely with the clean version.
Step 3: Check Your Theme’s functions.php
The malware often hides in your active theme.
- Navigate to
/wp-content/themes/your-active-theme/. - Open
functions.phpandheader.php. - Remove any code resembling the sample above. Note: Back up the file before editing!
Step 4: Reinstall WordPress Core
To ensure all core files are clean:
- Download the latest WordPress ZIP.
- Extract it on your computer.
- Upload the
wp-adminandwp-includesfolders to your server, overwriting the old ones. - Do NOT overwrite
wp-contentorwp-config.php(clean those manually).
Prevention: Securing Your Site Against Future Attacks
Once you fix WSOD WordPress issues, you must lock the door.
- Disable File Editing: Add this line to your
wp-config.phpto stop hackers from using the dashboard to edit files:
define( 'DISALLOW_FILE_EDIT', true ); - Install a Security Plugin: Use Wordfence or Sucuri for WordPress malware detection. They can scan for obfuscated code patterns like
eval(base64_decode(. - Change All Passwords: Database, FTP, and WordPress Admin passwords must be changed immediately after cleanup.
FAQ: WordPress Malware & WSOD
Q: Can I use an automatic plugin to fix the White Screen of Death?
A: No. If you have the WSOD, you cannot access the plugin dashboard. You must perform a manual cleanup via FTP first to restore access, then run a scan.
Q: Why does the malware mention “zeura.com”?
A: Zeura was a legitimate PHP encoding tool years ago. Hackers use cracked or modified versions of this tool to obfuscate (hide) their virus code so that simple scanners cannot read it.
Q: Is “eval(base64_decode)” always malware?
A: In the context of WordPress core files or themes, yes, it is almost 99.9% malicious. Legitimate developers rarely use eval for encryption in this manner.
