This blog post will walk you through the WP-VCD malware attack and how to clean up after it.
The malware known as “wp-VCD” infects WordPress core through the known “themes” available on the platform. WP-VCD malware hides in legitimate WordPress files and is used to add an admin user. This attack gets access to website server resources. As a result, other websites on the same server are infected. Also, this attack slows down the WordPress website and other websites on the same server. Until you can’t identify and delete the malware root, you will see it appear multiple times.

What is WP-VCD malware?

WP-VCD malware comes with pirated versions of paid themes or plugins that this malware has pre-installed. This attack creates a backdoor as an admin user who allows hackers to access the entire website. The attacker adds a new admin user like “username: 100010010”. And they also infused malicious code to rewrite into WordPress core files like function.php and class.wp.php et cetera. WP-VCD malware attack is difficult to detect as a web owner because the output of this infection is often not visible.

Causes of WP-VCD hack

Pirated version of WordPress themes and plugins is the primary source of this malware. The provider of those free null or pirated plugin themes spreads VCD malware by pre-installing plugins and themes. One example of those free null providers with malware is “downloadfreeethemes.” Once you install a plugin or theme downloaded from an untrusted source, your website may get infected immediately. The other websites are on the same control panel within a few minutes. However, you may not be able to know that immediately.
Another way to spread wp-vcd malware is outdated software with unrestricted file upload vulnerability.

Identify a WP-VCD malware

  1. First of all, check the admin user of your WordPress website. See if there are any unknown administrator accounts, for example, username: “,” “” etc.
  2. Compare core files between the WordPress website and the original WordPress version. There might have been malicious files like wp-vcd.php and wp-tmp.tmp.
  3. Check your website if some pages redirect users to a suspicious website.
  4. Sometimes, websites are infected with SEO spam. Which shows up in the Google search results in Japanese keywords or Pharma attack.
  5. Check if the website suddenly used high system resources.
  6. Check for malicious JavaScript code in your website source code
  7. Use WAF (Web Application Firewall) plugin to check any changes in your website’s core file, specifically wp-includes and wp-admin folders.
  8. Scan your website using a Security & malware scanner to detect your website is hacked or not.

WP-VCD malware injected files sample

In most cases, we get the below files infected with this VCD script.

  • wp-content/themes/themename/functions.php
  • WP-VCD.php
  • wp-includes/post.php
  • wp-includes/wp-vcd.php
  • wp wp-includes/wp-cd.php
  • includes/class.wp.php
  • wp-includes/wp-feed.php
  • wp-includes/wp-tmp.php

Also, the source of this infection, the pirated or null plugin or theme version, contains a file as class.plugin-modules.php


Sample wp-includes/post.php

Sample ../wp-includes/wp-vcd.php

Clean a WP-VCD malware

As the WordPress core is infected, WordPress manual reinstallation is required. Before that, ensure the source plugin or the theme is detected and removed. Otherwise, this infection will be back at any moment.
Here are the steps that should be taken to get rid of WordPress VCD malware.

  1. Identify the source plugin or theme and the source website if multiple websites are infected in the same server.
  2. Remove the null plugin or theme that contain a file class.plugin-modules.php
  3. Except wp-content, wp-config.php, .htacess, remove everything else from the domain root directory
  4. Check every theme functions.php file, and check and remove the first block of PHP if you see malicious VCD script
  5. Download a fresh and latest version of WordPress
  6. Extract the downloaded zip, remove the "wp-content" directory, zip it again. upload and extract under the domain directory

Those are the basic steps mentioned above, but the site may still contain malicious files under themes or plugins. Please take professional help to make sure the website is clean and secure.

Does your website secure enough? - Free Security Audit