How to Fix the WordPress White Screen of Death Caused by “Zeura” Malware

Is your WordPress site suddenly showing a blank white page? This phenomenon, known as the WordPress White Screen of Death (WSOD), is terrifying for site owners. While plugins or themes are usually the culprits, a specific type of WordPress malware is increasingly responsible for this crash.

In this post, we analyze a specific malware sample (often tagged as “PHP Encode by zeura.com”), decode how it works, and provide a step-by-step guide on how to fix WordPress White Screen of Death malware and secure your site.

---

The Symptom: Why Malware Causes the White Screen of Death

The White Screen of Death usually indicates a PHP error that stops the script from executing, but “Display Errors” is turned off in your WordPress configuration.

Malware causes this for three primary reasons:

• PHP Version Incompatibility: The malware is old and uses functions (like create_function) that have been removed in newer versions of PHP (8.0+). When the malware tries to run, it triggers a fatal error.
• Syntax Errors: The hackers often copy-paste obfuscated code incorrectly. A single missing semicolon in the injected code crashes the entire site.
• Resource Exhaustion: The malware may try to send thousands of spam emails or mine crypto, exhausting your server’s memory limit.

---

Anatomy of the “Zeura” Malware Sample

We recently analyzed a malware sample often found in the header.php or index.php of infected themes. Here is the raw code structure:

<?php / ***PHP Encode v1.0 by zeura.com*** / 
$XnNhAWEnhoiqwciqpoHH=file( __FILE__ );
eval(base64_decode("aWYoIWZ1bmN0aW9uX2V4..."));
eval(base64_decode(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH)));
eval(ZsldkfhGYU87iyihdfsow(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,2),YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,1)));
__halt_compiler();
// ... [Encrypted Binary Data follows here] ...

Decoding the Malware: How It Works

This is a Self-Extracting Dropper. It doesn’t look like normal code because it hides its malicious logic inside the file itself, usually after the __halt_compiler(); command.

Here is the step-by-step technical breakdown of the obfuscation:

1. File Read (file( __FILE__ )): The variable $XnNhAWEnhoiqwciqpoHH reads the content of the current file into an array. It effectively reads its own source code.
2. The First Layer (YiunIUY76bBhuhNYIO8): The first eval decodes a Base64 string which creates a helper function. This function is a slicer. It looks at the file array and grabs specific lines of code defined by offsets (e.g., lines 655 to 800).
3. The Second Layer (ZsldkfhGYU87iyihdfsow): The script runs a second eval to create another function. This function is the inflator. It usually performs gzinflate(base64_decode($data)).
4. The Payload Execution: The final line executes the logic:
   • It grabs the gibberish data stored after __halt_compiler();.
   • It passes it through the inflator function.
   • It evals (executes) the result.

What is inside the payload?

Once decoded, this specific malware usually reveals a PHP Web Shell (Backdoor) or a Link Injector. It allows the attacker to modify files remotely, inject spam links (pharmaceuticals, casinos) into your footer, or redirect your visitors to scam sites.

---

Step-by-Step: WordPress Malware Removal Guide

If your site has the White Screen of Death, follow these steps to clean WordPress site infected with malware.

Step 1: Access Your Server via FTP

Since the dashboard is inaccessible (WSOD), you must use an FTP client (like FileZilla) or your hosting control panel’s File Manager.

Step 2: Check index.php and wp-config.php

This specific “zeura” malware often infects the root index.php or wp-config.php.

1. Open index.php in the root folder.
2. Look for the <?php / ***PHP Encode v1.0 by zeura.com*** / line at the very top.
3. The Fix: Compare the file with a clean version from the official WordPress.org repository. Usually, the default index.php is very short. If you see a massive block of base64 text, replace the file entirely with the clean version.

Step 3: Check Your Theme’s functions.php

The malware often hides in your active theme.

1. Navigate to /wp-content/themes/your-active-theme/.
2. Open functions.php and header.php.
3. Remove any code resembling the sample above. Note: Back up the file before editing!

Step 4: Reinstall WordPress Core

To ensure all core files are clean:

1. Download the latest WordPress ZIP.
2. Extract it on your computer.
3. Upload the wp-admin and wp-includes folders to your server, overwriting the old ones.
4. Do NOT overwrite wp-content or wp-config.php (clean those manually).

---

Prevention: Securing Your Site Against Future Attacks

Once you fix WSOD WordPress issues, you must lock the door.

• Disable File Editing: Add this line to your wp-config.php to stop hackers from using the dashboard to edit files: define( 'DISALLOW_FILE_EDIT', true );
• Install a Security Plugin: Use Wordfence or Sucuri for WordPress malware detection. They can scan for obfuscated code patterns like eval(base64_decode(.
• Change All Passwords: Database, FTP, and WordPress Admin passwords must be changed immediately after cleanup.

---

FAQ: WordPress Malware & WSOD

Q: Can I use an automatic plugin to fix the White Screen of Death?

A: No. If you have the WSOD, you cannot access the plugin dashboard. You must perform a manual cleanup via FTP first to restore access, then run a scan.

Q: Why does the malware mention “zeura.com”?

A: Zeura was a legitimate PHP encoding tool years ago. Hackers use cracked or modified versions of this tool to obfuscate (hide) their virus code so that simple scanners cannot read it.

Q: Is “eval(base64_decode)” always malware?

A: In the context of WordPress core files or themes, yes, it is almost 99.9% malicious. Legitimate developers rarely use eval for encryption in this manner.