How to fix wp-feed.php and wp-tmp.php malware in WordPress?

Listen to this article

Your malware scanner warns you that "your site has been hacked', but you think he's okay? Are visitors complaining about spam ads on your WordPress site, but you don't see them? There is a good chance that your site has been hacked. Hackers find clever ways to hide their hacks from site owners so they go undetected and can continue to use the site for a long time. Wp-feed.php is one of the most cleverly camouflaged hacks out there..

Hidden from the site owners, it shows your visitors ads for illegal goods, drugs, and adult content. Even if you managed to find it, finding all the places where the infection has spread is not only difficult, but sometimes impossible. Removing the infection is difficult and difficult. If you still manage to remove it, in 8 out of 10 cases the infection reappears.

Bottom line: It is extremely difficult to remove the wp-feed.php infection from a WordPress website.

In this article you will learn:

• How wp-feed.php malware works and how it affects the site;
• How to remove it from your site;
• How to prevent re-infection in the future.

The content of the article:

• What is wp-feed.php and wp-tmp.php? (Causes, symptoms and reinfection)
• How to clean wp-feed.php from malware?
• Consequences of infecting wp-temp.php with malware
• How to protect your site from wp-feed.php malware in the future?
• What to do next?

What is wp-feed.php and wp-tmp.php? (Causes, symptoms and reinfection)

In a nutshell: WP-Feed is a type of malware that displays malicious ads on websites. The goal is for your visitors to click on ads and redirect them to a malicious website.

How did my site get infected?

The infection is usually caused by the use of nulled plugins or themes. The Nulled software is tempting to use because it offers you premium features for free. Many believe that zeroed software is distributed as an act of charity.

Usually this is far from the case. Software Nulled distributed in such a way that hackers can easily access your site.

• Zeroed plugins or themes are infested with malware. When you install a zero-value theme or plugin on your website, you are effectively opening the door for hackers to access your site.
• In addition to zeroed software, outdated plugins and themes can also be vulnerable. Hackers use these vulnerabilities to get into your site.
• They also use weak usernames and passwords such as "admin" And "p@ssword". Weak credentials are easy to guess. A hacker can guess your username and login and inject the wp-feed.php malware directly into your website.

Why do hackers infect websites with wp-feed.php?

The goal is to steal your visitors and make them buy fake services or products so that the hackers can generate income. What is really amazing is how they can often achieve this without a single hint to the site owner.

This brings us to the next question ⟹

Why is it difficult to notice the symptoms of this infection?

As soon as hackers gain access to your website, they inject two files (wp-feed.php and wp-tmp.php) to your folder wp-includes.
The wp-includes folder is part of your WordPress core. This is where the theme of your site resides. WP feed file starts infecting other WordPress files, especially functions.php, which is part of your active theme.

Thanks to function.php, hackers can display malicious pop-ups on your WordPress website.

However, the really devilish part is that the ads are only shown to new visitors and not regular visitors. The malware records visitors to your site so that ads are only shown to new visitors. This is the original way to prevent detection.

Therefore, you, as a regular visitor to your own site, will never notice any signs of hacking.

How to clean wp-feed.php from malware?

There are two ways to remove the infection. This is ⟹

1. Plugin usage (simple)
2. Do it manually (difficult)

Let's dive into each method.

1. Removing WP-Feed.php malware using a plugin (the easy way)

Some of you may already have a security plugin installed on your website. It is probably this plugin that warned you about malicious files − wp-includes/wp-feed.php And wp-includes/wp-tmp.php.

Most security plug-ins offer malware removal services, but very few can do it quickly and as effectively as for example. MalCare Security.

• MalCare will clean up your site in less than 60 seconds. You don't have to wait in line. You don't need to pass your website credentials to a third party plugin.
• Not only that, the plugin penetrates all nooks and crannies in search of hidden malware. It finds every malicious script present on your site.
• It uses unconventional methods to detect new and well-hidden malware. It carefully analyzes code behavior to detect malicious intent. It also helps ensure that good code doesn't get flagged as bad.
• He does it all within minutes.

Let's clean up the wp-feed.php infection with MalCare.

1.1 Install and activate MalCare Security on your WordPress website.

1.2 Select MalCare from the toolbar menu. Enter your email address and click "Protect site now".

1.3 On the next page you will be asked to enter your password and then enter your URL.

MalCare will immediately start crawling your site. The goal is to find every instance of malicious code present on your website. This means that it will not only detect the wp-feed.php and wp-tmp.php files, but also all malicious code that infects your WordPress files, including the instances hidden in the function.php file. You can be sure that the plugin will also find every backdoor present on your site to prevent re-infection.

⟹ If malicious scripts are detected, the plugin will notify you about it.
⟹ Next, you need to clean up your site.

1.4 To remove all traces of wp-feed.php from your website, all you have to do is click on the "Automatic Cleanup" button. MalCare will immediately begin cleaning up your site.

That's it guys. This is how you clean up your site with a plugin.

2. Remove WP-Feed.php malware manually (hard way)

Removing an infection manually is quite difficult because there are many moving parts in this type of infection.

• The hacker downloads two malicious files, wp-feed.php and wp-tmp.php. You need to remove them to get started. This is probably the only easy bit.
• The infection spreads to other WordPress files, including the function.php file. It is difficult, because no one will say where the infection has spread from.
  • It will take you several hours to find all the malicious code.
  • Malicious code is difficult to recognize because it is well disguised and looks like a normal piece of code.
  • Some known malicious code, such as "eval(base64_decode)", may be part of legitimate plugins. They are not used maliciously. Therefore, removing the code will affect your plugin and may even break your site.
  • There is a pretty good chance that you will miss code snippets that could lead to re-infection.

Therefore, manual removal is not entirely effective.

However, if you still want to do this, please make a full backup of your website. If you end up accidentally deleting something and breaking your site, you can quickly restore it back to normal.

Your website is free from infection, but it is far from safe. Hackers can still attack your site and try to infect it. You need to make sure that your site is protected from infection in the future. But before I get into that, let's take a look at the consequences of infecting wp-feed.php and wp-tmp.php.

Consequences of infecting wp-temp.php with malware

Needless to say, the presence of wp-feed.php and wp-tmp.php malware can be devastating to your site.
Websites infected with wp-temp.php often have the following consequences:

• You will notice a jump in your bounce rate and a reduction in the amount of time visitors spend on your site.
• Popups will make your site heavy and very slow.
• Nobody likes a slow website, so visitors are more likely to hit the back button before your pages have loaded in the browser. This will have a domino effect.
• Search engines will notice how quickly people leave your site. They will come to the conclusion that what you offer is not what users are looking for. Your search engine rankings will drop.
• This means that all the effort, time and money that you could have spent to rank higher in the SERPs is wasted.

• Hacked websites are blacklisted by Google and blocked by hosting providers. Also, if the hacked sites host Google ads, the adwords account will be banned. All this will lead to a further drop in traffic.
• Also, hacked websites need to be cleaned up, which can be costly if you don't use the right tools.

The good news is that you know your site has been hacked. Therefore, you can clean it up and stop further malicious impact on the site and users.

How to protect your site from wp-feed.php malware in the future?

Many of my readers may have tried to remove the wp-feed.php malware from their sites only to find that the malware keeps coming back.

This is because your site has a backdoor installed. Most backdoors are very well disguised, so much so that amateur developers can pass them off as legitimate code. In the previous section, I explained that hackers insert two files, wp-feed.php and wp-tmp.php, into your website code. The wp-tmp.php file acts as a backdoor. If you open the file, you will find a script that looks something like this:

$p = $QUERY$#91;”m”]; estimate(base64_decode($p));

The good news is that you can protect your site from future hacking attempts by taking the following steps:

1. Remove the zeroed software and stop using it

If you are using a null plugin or theme on your website, remove it immediately.

Hackers gained access to your site in the first place with the help of nulled software. No matter how well you clean up your site, if you don't remove the zeroed software, hackers will infiltrate your site and inject malware.

If you have given your users permission to install plugins and themes, make sure they never use zeroed software.

In fact, it's better to disable the installation of plugins and themes altogether using MalCare. All you have to do is log into the MalCare dashboard, select your website, click on "Apply Boost" and turn on Plugin/Theme Installation Blocker.

2. Strengthen the security of your site

You can prevent hackers from injecting malicious files like wp-feed.php into your WordPress folders by changing the file permissions.

File permissions are a set of rules that determine who has access to which files. You can prevent users from making changes to the wp-includes folder.

You can also prevent hackers from modifying your theme by disabling the file editor. This will prevent them from placing pop-up ads on your site. You can do it manually, but this is risky and not recommended.

If you already have MalCare installed on your site, all you have to do is click the button to disable the file editor.

3. Update your website

Like any other software, WordPress plugins and themes contain vulnerabilities. When developers become aware of this vulnerability, they quickly create a patch and release it as an update.

If there are any delays in implementing updates, it puts your site at risk. Hackers know how to exploit vulnerabilities. In fact, they are always looking for websites with vulnerabilities to use to gain access to the site and infect the site with malware. So never delay updates.

4. Ensure you use strong credentials

The easiest way to access your site is through the login page. The hacker just needs to successfully guess your user credentials. In fact, they are developing bots that can try hundreds of username/password combinations within minutes. If you or any of your teammates use easy-to-guess credentials like "admin" and "password123", it will take 2 seconds for bots to hack your site. This is called a brute force attack.

It is important to ensure that each user of your website uses unique usernames and strong passwords.

5. Use a firewall

Wouldn't it be great if you could prevent hackers from reaching your site altogether?

Firewall is exactly the tool you need. It examines the traffic that wants to access your site. If it detects that the traffic is coming from a malicious IP address, the firewall blocks the traffic immediately.

Thus, it filters out hackers and bots. Here are some of them:

• Wordfence;
• WP Security;
• Malcare.

What to do next?

I showed you how to clean up your site and make sure you never get hacked again.

A piece of advice that I think will save your site from a number of disasters is to back up your site regularly. Whether your website suddenly crashes or is out of order, a backup will help you quickly fix your site temporarily.

Reading this article:

• XSS attacks on WordPress: how to prevent them
• How to block an IP address in WordPress? (Prohibit spam and hacker attacks)

Thanks for reading: SEO HELPER | NICOLA.TOP