How to Detect and Remove WP-VCD Malware: A Step-by-Step Guide (and a Bonus Plugin!)

Sep 16, 2019

How to Detect and Remove WP-VCD Malware: A Step-by-Step Guide (and a Bonus Plugin!)

Sep 16, 2019

At any given time, more than 18 million websites are being infected with malware. From SEO spam to spam link injection to pharma hacks – securing your site against such hack attempts is absolutely necessary.

A WordPress Security plugin can not only scan and clean your site but also protect it from potential hacks and notify you of vulnerabilities. But first, you need to understand the kinds of malware out there, how it can affect your site and how to keep it at bay. Let’s look at a malware that has been raking up the news, the WP-VCD malware.

The WP-VCD malware creates backdoors in your WordPress site by modifying the core WordPress files and adding new files in the /wp-includes directory. As soon as the malware is injected, it secretly creates an admin with the username “100010010” on your WordPress dashboard. This gives it access to your website and it can then inject more malicious code to be misused later.

Where are the causes of this WP-VCD hack?

Hackers are regularly on the lookout for potential exploits & vulnerabilities in the WordPress ecosystem. Once they identify a loophole, they immediately spring into action to inject malware on vulnerable sites. The common loopholes are:

    • Pirated WordPress themes: Pirated versions of premium WordPress themes (also called Nulled Themes) have been a favorite with hackers for spreading malware. They have now found a way to pre-install the wp-vcd malware onto them
    • Lack of a Firewall on your WordPress site to block hack attempts
    • Outdated WordPress plugins & themes are a common cause of hacks as they will have vulnerabilities in them

How does this affect your site?

When your site is infected, hackers usually use your server resources to carry out their malicious activities. This can slow down your website and all the other websites sharing the same server. This means that if your host detects malware on your site, they will suspend it immediately. The other sites on the same server are at risk of getting infected too.

Furthermore, Google will blacklist your site to protect visitors from entering your malware-infected website.

Once the wp-vcd malware is inside your site, it enables the hacker to have complete control. They can silently create spam URLs on your website which are hard to detect. They can redirect your traffic, send spam emails, create a pop-up advertisement and a lot more.

Finally, this notorious malware creates an admin user and a backdoor, allowing hackers to get access to your entire website forever. Even though you can find and delete the malicious code, you’ll might see it appear again multiple times!

But wait, you don’t have to lose your sleep just yet. There are ways to find and remove this malware from your site. Let’s see how!

How to identify a WP-VCD malware infection?

Identifying this malware can be tedious as it gets quite technical. You can access your WordPress Core files by logging in to your hosting account and opening the file manager.

Identify this malware using these methods:

1. Check if a new WordPress Admin user with the username “100010010” has been added on your site without your knowledge.

2. Compare the Core Files of your website with the original WordPress version:

  • Step 1: Open the Core files (wp-admin and wp-includes) of your infected site.
  • Step 2: Download the WordPress Version used by your site from Open its Core files.
  • Step 3: Compare the Core files of your site with that of the original WordPress version. Check if files like wp-vcd.php and wp-tmp.tmp have been injected into your sites core files.

3. Check if some pages on your website are being automatically redirected to unsolicited websites.

4. Do a Google search for your website brand name and observe if any SEO spam such as Japanese search results or Pharma attack show up in the search results,

5. Check if your hosting provider has suspended your WordPress account. In such a case, contact them to check if they’ve done so because of wp-vcd malware attack to protect other websites.

6. Check for unknown JavaScript code in your website source code:
Unknown Javascript code points to a backdoor in your site. Identifying the unknown code from your source code requires technical expertise. It is better to get the help of an engineer.

Assuming your site is backed up and you have access to previous versions, here’s what you can do:

  • Step 1: Backup your hacked site and download it.
  • Step 2: Find a previous backup version of your site that is completely clean. Download it.
  • Step 3: Compare the wp-admin and wp-includes files of the two backup versions. Check for wp-vcd.php and wp-tmp.tmp files.

7. Use a WordPress firewall plugin to check for any changes made to your core files, specifically the wp-includes folder.

8. Your sites wp-includes folder (or subfolders) should ideally not have any PHP files. If you find any unusual PHP files, scan your website for malware using a malware scanner.

9. To cover all bases, check all your themes and plugins files stored in the wp-content folder. Compare the files to its original theme/plugin files (can be downloaded from the WordPress Repository).

Recommended: All these methods can be time-consuming and risky for a non-expert. To make things simpler, use a WordPress Security Plugin like MalCare which scans your entire site in seconds and offers instant malware removal.

How to clean a WP-VCD malware infection?

Once you have identified the hack, you can work towards cleaning it. As this is now a known malware, researchers have identified multiple ways to clean the wp-vcd malware.

  1. Manual Clean-up: there are multiple ways in which you can clean the malware manually. We will guide you through a step-by-step process below. But be warned, it can get a little technical and you may break your site as it plays with core WordPress files.
  2. Automatic Cleanup using a WordPress malware removal plugin. If you want to get rid of the malware as soon as possible, then this is as simple as it gets.

Manual Removal of WP-VCD malware:


Pros & Cons of Manual Cleanups


Note: This method would need you to modify or delete some WordPress core files. This may affect the functionality of your website if not done correctly.

Follow these steps for cleaning the infection:

Step 1: Locate the infected files

We have already discussed the different ways to identify the infected files in the previous section. To quickly summarise:

    • Compare the Core files of your site with the files of the original WordPress version.
    • Compare the Core files of your site with those of a Previous Clean Version
    • Identify any unusual PHP files in the Core Files
    • Compare your themes and plugins files with their corresponding version in the theme/plugin directory
    • Identify any new files or any changes made in file contents

What files should you check for?

    • Wp-vcd.php and Wp-tmp.php in the wp-includes folder
    • Functions.php across all themes in wp-content/themes/* folder (including the ones that are not active)
    • class.theme-modules.php
    • Class.wp.php (usually inside the main theme folder)
    • admin.txt
    • codexc.txt
    • code1.php

Step 2: Manually search and remove these string patterns commonly found in Infected Files.

    • tmpcontentx
    • function wp_temp_setupx
    • wp-tmp.php
    • Code.php in the folder
    • stripos($tmpcontent, $wp_auth_key)

Step 4: Delete the secret user “100010010.” created by the malware.

Step 5: Delete all inactive themes and plugins

Even after you have carried out these steps, there might still be a backdoor to your site. The hack could be back in no time. The manual method of cleaning doesn’t guarantee you to be 100% hack-free.

Automatic Removal of WP-VCD malware using a WordPress Security Plugin:


Why Choose Automated Cleanups


Step 1: Use MalCare to find the malware

  1. Install and activate “MalCare” from the WordPress repository.
  2. Initiate a full website scan through the plugin to detect the wp-vcd and any other complex malware.
  3. MalCare will alert you on the dashboard and via email once the scan is complete. It would have successfully detected all the places where this malware is injected.

Step 2: Clean the malware:

1. Click on the “Auto-Clean” option on the dashboard

2. Enter some basic site details

3. MalCare will clean your entire website and get rid of the WP-VCD malware attack present

4. Enable the MalCare firewall to ensure such hacks do not happen in the future. This will protect you against Brute Force Hack Attempts and give you a log of Traffic and Login Requests.

What to do after WP-VCD Malware Removal

Getting rid of the wp-vcd malware does not guarantee 100% protection. There are a few essential things you must do to prevent such backdoors on your website in the future.

Employ Basic Measures:

  1. Make sure you update your WordPress Core, Plugins and Themes. Outdated plugins would likely have vulnerabilities that can be exploited to hack your site.
  2. Delete all unused WordPress themes or plugins (even if they have been disabled). You might have forgotten about them, meaning that they are not updated.
  3. Vow to never use Nulled themes on your website

Clean your entire website:

  • Run a complete site scan to ensure your website is 100% free of all malware, not just the wp-vcd malware. A complete site scan would include your pages and database as well.

Keep your Website Protection ON:

  • Using a security plugin like MalCare itself, you can stay protected against not just the wp-VCD attack, but all sorts of hacks such as Brute Force, Pharma Hack, Hack Redirects, etc.

Regularly Monitor for hacks:

  • Install any one of the popular security plugins that not only run regular automatic malware scans but also keep track of file changes.

If you are looking for more ways to bulletproof your website, here’s a comprehensive WordPress security guide.

Final Thoughts

An infected website doesn’t stop at just affecting your wallet. It takes a toll on your emotional well-being as well. The entire process of getting the site cleaned is tedious and stressful. Whether you are a developer or a marketer or a blogger, it forces you to put aside your core work activities and spend time fixing the site.

And even though you may haved cleaned the wp-vcd malware, you will need to ensure that your website remains protected in the future. Here’s what we suggest –

  1. Use an effective WordPress Security Plugin that monitors, alerts and protects your website round the clock.
  2. You should also have an efficient WordPress Backup Plugin in place to cover all bases.
  3. We also suggest taking appropriate site hardening measures to ensure that your website remains protected from common hack attacks.

Most important of all is that you get sleep! If malware has taken over your life, you need help.

We clean your site and protect it from future attacks.
Be Malware-Free with MalCare!

Share via
Copy link