How to Remove the WP-VCD.php Malware From Your WordPress Site

Your WordPress security plugin flagged something that looks like this:

Backdoor: PHP/wp-vcd.5473 – malicious code;

And now, you have a bunch of questions:

  • What is wp-vcd.php malware?
  • What does it mean for your site?
  • How did you even get infected?
  • Can you remove it safely?
  • Should you even pay attention to the warning or is it a false positive?

The only problem is…

… you don’t know exactly who to ask.

Scenario #1:

It’s quite possible that you’ve tried to remove this already and realized that removing this malware can be really difficult. It can infect your site literally anywhere and there are too many variants of this malware to even keep track.

Scenario #2:

Perhaps you’ve even managed to remove the wp-vcd.php malware from your WordPress site. But then you find out that wp-vcd.php is more tenacious than measles and it keeps coming back!

Or, Scenario #3:

Maybe this is the first time you’ve been hit by this malware.

In such a situation, it’s normal to feel lost, confused, and vulnerable.

One of the biggest problems with this malware is that it’s not very visual.

You can’t see it destroying your business.

The worst bit is that the symptoms are very easy to miss and require some technical knowledge from your end to even recognize the symptoms.

Here are a few:

  • Visibly reduced website speed
  • New WordPress admin accounts
  • Increased resource consumption
  • Unknown javascript added to WordPress core files
  • Malicious PHP code within trusted folders

To be very upfront with you, to the untrained eye, this malware simply slips under the radar.

No worries, though.

In this article, we’ll show you how to clean your site and take precautions to stop it from infecting your site ever again.

Let’s dive right in.

What is the WP-VCD Malware and What Does It Do?

The ‘wp-vcd.php’ malware is a piece of malicious PHP code that looks something like this:

if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '2f3ad13e4908141130e292bf8aa67474'))
switch ($_REQUEST['action'])
    case 'change_domain';
    if (isset($_REQUEST['newdomain']))

The way the wp-vcd.php malware works is this:

  • Try to fetch files on your site that don’t exist
  • This pushes WordPress to try to find the non-existent file again when it doesn’t find the file
  • This turns into an infinite loop and hogs all your server resources

In short: the malware causes your site to run super-slow. In some cases, it can even cause your web host to suspend your account for using too many server resources!

But that’s not the only thing that the wp-vcd.php malware does.

It also adds WordPress site users with admin access that the hacker can use to access your site any time they please:

ini_set('display_errors', 0);

$GLOBALS['<b>WP_CD_CODE</b>'] = 'PD9waHANCmVycm9y...(base64-encoded string of PHP code)

The malware usually replicates itself in all WordPress core files and folders.

Why does that matter?

Simple – On the surface, it looks like it’s part of the real WordPress code. So, it’s really difficult to even identify it as malicious code.

At the same time, this code can also sit quietly for instructions from a hacker by injecting malicious links to your code – like a WordPress sleeper cell.

Not cool.

So, how can we get rid of it?

That’s up next.

How to Remove the WP-VCD Malware From Your WordPress Site?

There are two ways to clean your site:

  • Use a WordPress malware scanner and cleaner plugin
  • Remove the malware manually (NOT RECOMMENDED)

We’ll walk you through both ways. 

But in our professional opinion, never use the manual method

It’s downright dangerous and can completely wreck your site even if you delete one extra semicolon from the code (that’s right!).

Let’s do this.

Cleaning Your Site Using a WordPress Security Plugin

First things first – are you a MalCare customer already?

If so, then just rest easy.

Seriously, you have it way better than most other people infected by this malware.

But just in case you’re not using MalCare yet, sign up for a FREE scan of your site right now.

Unlike other WordPress malware scanners and cleaners out there, MalCare can instantly pinpoint which parts of your site have been affected by the malware. This makes is really simple for our automated 1-click cleaner to fix your site without damaging it in the process.

MalCare works on a learning algorithm

This means that the tougher the infection, the harder it fights. And the more malware it sees, the smarter it gets. 

Just FYI: we protect over 250,000 sites and every day MalCare gets that much smarter.

The second your site gets infected, MalCare will send you a notification via email and Slack like this one:

From this email, click on the link that says, “MalCare Dashboard”. That will take you to the list of sites protected by MalCare.

Click on the site that you want to cleanup. You’ll see the site dashboard screen:

See the bright, red, giant button that says, ‘Hacked’? That means that MalCare has detected malware on your site. Just underneath that warning, you should see a button that says, ‘Auto-Clean’.

Click that button.

And you’re done!

In case you’re using other popular anti-malware plugins, and you’ve already tried using your security plugin’s recommendations…

You’ve realized that they didn’t really solve the problem.

That’s OK. You can use MalCare to clean your site now.

Setting up MalCare takes literally less than a minute. Or, you can try cleaning your site manually. Your call!

Pro Tip: Alternatively, you can also hire a WordPress management agency that offers WordPress security services as well.

Cleaning the WP-VCD.PHP Malware From Your Site Manually

This one’s tricky.

We won’t lie to – this is something that even we dread.

Malware like wp-vcd.php can keep mutating and there are so many different variations of the same code that it’s not even funny.

That said, there are some basic things that you can try.

Looking for Malicious Code in Common Files and Folders

Hackers keep finding new ways to hide malicious code. This makes it really difficult to find infected files even for trained professionals.

Well, no one ever accused hackers of being an unimaginative bunch.

But there are some basic places where you can start your search:

  • wp-includes/wp-vcd.php
  • wp-includes/wp-tmp.php
  • wp-content/themes/*/functions.php (all themes installed active and inactive)
  • class.wp.php
  • code1.php
  • class.theme-modules.php (inside the theme folder)

If this doesn’t work out, keep reading.

Looking for Malicious String Patterns

Most malware uses some common bits of code called string patterns.

You can search for these patterns to narrow down your search.

CAUTION: Do NOT attempt this unless you understand PHP deeply. Many of these strings could be part of regular code. Deleting something based just on this list could break your site.

But here goes nothing:

  • tmpcontentx
  • function wp_temp_setupx
  • wp-tmp.php
  • stripos($tmpcontent, $wp_auth_key)

If these two ideas didn’t work, we have some even more advanced ideas that you can try.

Checking the functions.php File

One of the most popular targets for the WP-VCD.PHP malware is the functions.php file.

So, take a quick look at that file too.

Look for something similar to this:

<?php if (file_exists(dirname(__FILE__) . '/<b>class.theme-modules.php</b>')) 
<b>include_once</b>(dirname(__FILE__) . '/<b>class.theme-modules.php</b>'); ?>

This code tries to find and execute malicious scripts hidden in the hacked theme or plugin. In this instance, it calls a script inside the hacked theme.

Again, this is agonizingly difficult to find at the best of times.

So, we have one last tip for you.

Run a Diffchecker Against WordPress Core Files

A diffchecker is a program that checks two pieces of code and spots the differences between the two.

Here’s what you can do:

  1. Download the original WordPress core files from the GitHub repository.
  2. Download the files from your server using cPanel.
  3. Run a diffchecker between the two files.

This is a really time-consuming process. You’ll have to go through each file – one at a time.

If this seems too technical or sounds like it’s too much work, we recommend using MalCare. It’s a quick, easy, and affordable fix.

How Hackers Make Money Using WP-VCD.PHP?

If you’re still wondering if it’s even worth removing the malware…

You’ll want to read this.

Short answer: You want to clean your site right now.

The way malware like this works is that the fork bomb that keeps overloading your server is a misdirect. The real threat is entirely different.

WP-VCD.PHP is dangerous because it creates an admin account on your site for the hacker.

Once that user is set up, your site is now part of the hacker’s network.

In other words: the hacker now has full control of your site.

They are now making money by:

  • Stealing your traffic and redirecting it porn sites that pay them for each visit
  • Selling financial data from your site to any who will buy it
  • Using your site to spread the malware to more targets

If your website forms a significant part of your brand’s identity or revenue, you need to clean up your site right now.

How Your Site Got Infected in the First Place?

There are 3 ways in which your site can get infected with wp-vcd.php malware:

Nulled Themes and Plugins

People! Stop using nulled themes and plugins.

No, really. 

Nulled WordPress software is the number one way to get hacked. Most of the instances we see of the wp-vcd.php malware is from nulled themes and plugins.

Nulled WordPress themese and plugins have snippets of WP-VCD.PHP because it’s the perfect trojan.

What can you do?

WordPress has millions of free alternatives for each plugin and there are millions of free themes as well. Just use one of those instead of a nulled plugin.

Outdated Themes and Plugins

Outdated themes and plugins have known vulnerabilities that hackers can exploit.

So, just take a minute and update your themes and plugins.

And if you’re not using some plugin or theme, then just delete them.

It’s a lot safer that way.

NOTE: Updating the plugin or theme does not remove the infection. It’s just a preventive measure.

Lack of Security Measures

By using even the most basic security measures like having a malware scanner and cleaner installed can protect you from a lot of problems.

But the truth is that a vast majority of WordPress users don’t even use any security plugin.

For a pro hacker, it’s like shooting fish in a barrel.

In all likelihood, that’s why your site got infected.

How Can You Protect Your Site from Getting Reinfected?

This is the grand finale, people.

Once you’ve cleaned up your site, you need to take measures to stop hackers from infecting your site with WP-VCD.PHP again.

Take a look at some basic protective measures:

  • Remove any unknown admin users from your site
  • Stop using nulled themes and plugins and swap out for free alternatives
  • Always keep your themes and plugins updated

If you’re not sure how to get that done, you can always install MalCare. It’ll make your life just that much easier.

Well, that’s it for this one. Hopefully, this helped.

If you have any questions, feel free to hit us up on Twitter.

Until next time!


Nirvana is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Nirvana distils the wisdom gained from building plugins to solve security issues that admins face.

Copy link
Powered by Social Snap