First of all, thank you for sharing your rules. I am pretty new to YARA, so apologies if I just ask stupid questions.
I just tested your rules on a clean WordPress installation, but I notice that it reports a lot of false positives. I created a new, clean WordPress installation via the WP-CLI. A scan on this with Pressidium-commons-init.yar gives a lot of false positives. An installation with many plugins gives even more.
How do you eliminate these false positives? How do you do this for example with your customer base, for example?
$ wp core download
Downloading WordPress 6.4.3 (en_US)...
md5 hash verified: 8e664626c12cb6daea37c8a90d8080d8
Success: WordPress downloaded.
$ yara --version
4.3.2
$ yara -r pressidium-yara-rules/Pressidium-commons-init.yar . > scan.log
warning: rule "common_encoding_php" in ../pressidium-yara-rules/Commons/Pressidium-common-encodings.yar(23): using literal string ".js" in a boolean operation.
warning: rule "Detect_Eval_Usage" in ../pressidium-yara-rules/Commons/Pressidium-common-eval-usage.yar(21): string "$eval4" may slow down scanning
warning: rule "Detect_Eval_Usage" in ../pressidium-yara-rules/Commons/Pressidium-common-eval-usage.yar(29): $eval_function2 contains .*, .+ or .{x,} consider using .{,N}, .{1,N} or {x,N} with a reasonable value for N