Quickly Resolve WP-VCD Malware Attack on Wordpress

If you've been a victim to a Malware atatck you know what a pain it can be to get rid of those pesky leeches. Recently one of the websites I manage fell victim to a WP-VCD Malware virus. What I thought would be an annoyingly long process to fix, actually didn't take all too long at all.

How Does WP-VCD Latch Onto A Site?

There are numerous ways malware could attach itself to your site, the most common ways for the WP-VCD malware strand attacks are: 

• Downloading and installing free pirated premium Wordpress themes and installing them.
• Downloading and installing free dodgy plugins.

Developers build back doors into the above software, which leaves your site vulnerable to attacks in future.

In my case, I downloaded a premium theme for free a while back to test it before i bought it. Seems a back door was built into the code and it spread through all the local installs, even newer ones.

"Life Lesson: Don't download premium themes and plugins for free!"

Here's how to fix it quickly and easily. 

1. Identify the Malware Type

If you have identified the malware virus and are sure its WP-VCD, then proceed to step 2. If you not sure, the following symptoms might help you troubleshoot this step. 

• Your site is giving a 500 header status error for an unusual reason.
• Examine the directory of your domain, if you find a wp-vcd.php file in the /wp-includes/ directory. it most probaly is WP-WCD. 

If you still not sure, try using the Free website security check & malware scanner by Sucuri to identify the issue.

2. Create A Backup

Log into your FTP client and create a backup of your site files on your local. keep these unmodified, in case you delete a file and needs it to be replaced. 

3. Delete The Following Malicious Files

For WP-WCD malware experts starting deleting the following files - I have left comments from my actual fix to use as a guideline as to what worked for me.

• Delete:class.theme-modules.php and class.plugin-modules.php
• I could not find these files,  I searched all the folder - the location of these files was not specified.
• Browse to wp-includes and delete the following files:
• wp-includes/wp-vcd.php - This is the main file that injects the virus into the other files
• wp-includes/class.wp.php - Did not Delete this one, as it broke the styles on the website. I did inspect it to find any wcd injections and nothing was found.
• wp-includes/wp-cd.php - This file was not found either.
• wp-includes/wp-feed.php - Deleted with no issues
• wp-includes/wp-tmp.php - Deleted with no issues

4. Delete Malicious Code From The Theme Functions.php File

• Browse to your theme file location to find the theme functions.php file. The path usually looks something like:
  \wp-content\themes\{choose your active theme}
• Open the functions.php file. and remove the malware code.
• This is usually about 150 or more lines inserted in the first function 

• Save and you should be good to go!

5. Delete Suspicious Users

Check both database users and WP website users to see if any suspicious accounts were created. Delete these.

6. Install Protection on your site

Install a Wordpress plugin to help identify and protect your site against malware. I recommend Wordfence Security – Firewall & Malware Scan, which helps identifies and blocks malware.

How Have You Managed To Eradicate Malware? 

Have you had a site attacked by hostile malware virus? How did you manage to evade the attack? Share your story with us in the comments below. 

Are you looking to promote your business?

South African digital businesses can create your free business listing on nichemarket. The more information you provide about your business, the easier it will be for your customers to find you online. 

Registering with nichemarket is easy; all you will need to do is head over to our sign up form and follow the instructions. If you require a more detailed guide on how to create your profile or your listing, then we highly recommend you check out the following articles.

• How to create a nichemarketer profile
• How to create a nichemarket business listing

Recommended reading

If you enjoyed this post and have time to spare why not check out more WordPress Tips:

• Resolve vcruntime140.dll error on WAMP in 2 minutes
• How To Use The Classic Editor After Upgrading To WordPress 5
  
• Track Contact Form 7 Conversions via Google Analytics in 2 Minutes
• How To Actually Integrate Contact Form 7 And Google reCAPTCHA V2
• Using Child Theme vs Parent Theme for WordPress Builds
• 11 WordPress Plugins to help you Integrate with Google Products
• Wordpress Blogs Defaced By Hackers
• Wordpress Migration: How to successfully move your website to a new host

Sources:

• How to Clean a WordPress Hack
• WordPress WP-VCD malware attack — Solution
• How To Remove WP-VCD WordPress Malware Attack?

Tags: wordpress, malware, wp-vcd