How to remove WP-VCD.php malware from your WordPress site

Listen to this article

How to remove WP-VCD.php malware from your WordPress site? If spam ads on your WordPress site redirect to spam site, your first instinct may be to blame your advertising partner. However, there is a chance that wp-vcd malware is installed on your website instead. wp-vcd.php malware comes in many forms, but removing each one is just as difficult as the other. The WordPress admin tried to remove the bad code directly from the theme files and main folders, but saw it all reappear when reloading the website. Understandably, this is a frustrating move, especially if you're concerned that your visitors will see spam ads that don't represent your site at all.

The wp-vcd malware has had the dubious distinction of being the most prevalent malware in WordPress in recent years, so much has been written about it. In this article, I will show you the ultimate way to diagnose an infection, get rid of it, and most importantly, make sure it is gone for good.

In short: this malware spreads very quickly throughout your website, and if you tried to remove it manually, chances are you noticed that it reappeared almost immediately. To permanently remove malware, you need to remove each instance of it and remove the backdoor. Since this is an urgent task, a security plugin is the most reliable and effective way to restore your website without malware.

The content of the article:

• What is wp-vcd.php malware?
• What are the symptoms of my site being infected with wp-vcd malware?
• Diagnosing a wp-vcd.php virus infection on your site
• How to remove wp-vcd malware infection
• How to prevent wp-vcd malware from re-infecting your site
• What is the impact of Wp-vcd malware attack on your website
• Conclusion

What is wp-vcd.php malware?

The wp-vcd malware is a self-replicating malware that infects WordPress websites to direct traffic to spam or scam websites. Symptoms can vary greatly, but most hacked WordPress websites show spam ad pop-ups to visitors. We will look at the symptoms together in more detail in the next section. First, let's take a closer look at what this malware is.

How the wp-vcd malware got into your site

You might be wondering how malware infected your site in the first place. The most common way to infect a website with WordPress wp-vcd malware is through a null theme or plugin. In fact, WordFence likes to refer to malware as "malware that you installed on your own site."

Of course, this is a simplification, as are most grandiose statements. However, there is some truth in it. Nullified themes and plugins are responsible for many of the hacks that many have seen in recent years because they are loaded with malware or backdoors, and sometimes even both. Wp-vcd.php is a prime example of this. However, mistakes are made, sometimes by the people who designed the site and handed it over to you. Now is not the time to blame or defend. The priority is to get rid of malware as quickly as possible.

A word of caution here: if you have a lot of websites on shared hosting, you can reasonably expect those sites to get hacked as well. Wp-vcd is a common malware that replicates at an alarming rate.

How wp-vcd malware works

As I said earlier, wp-vcd.php malware usually enters your site through an infected theme or plugin. It then infects all other installed plugins and themes. It then proceeds to infect the core WordPress files and create a folder.

The result of this rapid spread across your website is that malware is almost everywhere on your website, and cleanup has already become exponentially difficult. The situation is further complicated and exacerbated if more than one website is installed on the same hosting control panel. In this case, you will see that other sites will also be hacked.

If you tried to clean up the theme files or even deleted the wp-vcd file before proceeding to this article, you may have noticed that the site gets infected again after a while. Many people find that malware returns as soon as the site is reloaded. This is because it hasn't been fully cleaned up and the existing code just regenerates any malware you removed.

The malware has a built-in backdoor that reloads the malware every time, so re-infection happens almost instantly.

What the wp-vcd malware does

The purpose of this malware is to redirect traffic to spam websites through black hat SEO tactics or spam ads, a phenomenon known as malicious ads. In addition, by directing traffic to a spam site using ads, malware also earns ad revenue. This is actually a vicious circle as the targeted websites usually distribute malware in their products.
In addition to malicious ads, the wp-vcd.php virus does other unpleasant things to your site:

• Creates fake administrator profiles;
• Inserts spam links to your site;
• Sometimes it can also cause redirects, although not for all traffic.

More than anything, website owners and administrators are worried about the impact these terrible ads have on their brands. You can imagine that viewing pornographic or illegal advertising content creates an unpleasant experience for visitors. No administrator wants their brand and website to be subjected to such attacks.

What are the symptoms of my site being infected with wp-vcd malware?

The wp-vcd.php malware is designed to boost the SEO or ad revenue of a spam site. The malware does this by inserting spam links or pop-up ads, respectively.

If you suspect that your website is infected with wp-vcd, here are some of the symptoms you may see:

• Spam pop-ups. Websites may display spam pop-ups that appear all the time or from time to time. In some cases, ads will only be displayed to unregistered users. Ads can be hidden from administrators using cookies. In some cases, only visitors from certain search engines will see ads, or only a certain percentage of them will see them. As a result, the ad will force visitors to visit the spam site. In a way, it's like a WordPress redirect hack.
• Website is slowing down: You will see a noticeable decrease in site speed and performance.
• Analytics take a hit: If spam ads are redirecting visitors away from your site, you will see an increase in your bounce rate.
• Google blacklistA: Eventually, Google will detect malware while indexing your website and blacklist it. Either your visitors will see a warning about a misleading site, or the site could be hacked in search results.
• Google Ads account suspended: Similar to the Google blacklist, if you have a Google Ads account, it may be blocked due to misleading content. In addition, your ads may be disapproved due to detected malware. Google works very hard to ensure that their users can work safely, so take malware very seriously.

WordPress hacks can manifest themselves in many different ways, which is one of the reasons why it's so hard to tell if a website has been hacked or not. If you do not see any of the above symptoms, this does not guarantee that your site does not contain malware. It just means you haven't seen it yet.

How to diagnose wp-vcd.php virus infection on your website

The problem with wp-vcd malware — and indeed with any other malware — is that diagnosing an infection can be almost as frustrating as eliminating it. Many people describe a set of symptoms that are sporadic and intermittent, causing many of them to doubt themselves. The only sure way to know if your site has been hacked is to scan it.
There are several ways to check your site for malware. I'll list them below in order from most to least effective.

1. Deep crawl your WordPress site

Scan your website with the free MalCare Malware Scanner. All you have to do is install MalCare on your site and sync your site with their servers. Scanning is fast and takes less than 5 minutes. You will have the final answer if your site is hacked.

I recommend MalCare because it deep crawls your site. This means all core WordPress files, plugin and theme folders, and your database. Because wp-vcd malware is so common, it can be found anywhere on a website. Many other scanners cannot find every instance of malware, and in the case of wp-vcd.php this is a big minus. Also, wp-vcd has a few variations that have evolved over the past few years to not look like source code. Therefore, it is important to use a complex scanner to make sure of this.

2. Scan your site with an online security scanner

In most cases, I would say that using an online security scanner is a good first step towards diagnosing a breach. However, in the case of wp-vcd malicious code, the online security scanner is practically useless.

Malware resides in the files and folders of themes and plugins and over time replicates to the main WordPress folders. These files are not visible to the online security scanner and therefore cannot be scanned for malware. This may seem like a downside to online security scanners, but it's actually a good thing. Online security scanners are not installed on your website and therefore can also scan public code. You don't want your main website code to be public.

3. Scan for malware manually

It is theoretically possible to manually scan your site and look for instances of wp-vcd malicious code in the files. With wp-vcd malware, you are likely to find it in many places on your website, so manually scanning your website will confirm its presence.

Keep in mind that you are only checking to see if your site has been hacked. Therefore, if you find malicious .php code, it does not mean that it exists only on your site. It is much more likely that the malware is actually in multiple locations.

Where is wp-vcd.php malware located on your site

Of course, malware runs in an installed theme or plugin. In the theme, you will see the malicious code in the functions.php file.

To demonstrate, I downloaded the theme from a null theme website and opened the functions.php file to highlight the malware in the functions.php file.

This is the nulled themes website:

If you look closely at the code, it refers to another class.theme-modules.php file.

This file is also found among the theme files and contains the complete malware code.

It then copies itself to other themes and plugins, as I said before. Once malware has infected most of your website, removing it manually becomes fiendishly difficult. And this distribution happens almost instantly.

After the plugins and themes, the malware will add code to the post.php file and automatically create a wp-vcd.php file and a class.wp.php file in the wp-includes folder. As you can see, these are the core WordPress files and this is where things get really serious.

What malware looks like

To simplify the information in this article, I only refer to the malware as wp-vcd malware. It's time to note that malware comes in many forms, such as wp-feed.php and wp-tmp.php. Bad code will reflect those filenames appropriately, but malware is essentially the same.

This is the code that might appear at the top of a theme or plugin's functions.php file:

Wp-vcd.php malware can appear as separate files or as code inserted into important files - quite often as a mixture of both. Here is the code from the file that runs the cron job to automate the malware part:

Another malware that creates files in the wp-includes folder:

Earlier in 2021, security researchers discussed the existence of newer malware variants such as ccode.php or cplugin.php. These options introduced an invisible and fake plugin to the website.

All this suggests that the malicious code can be very different on different websites. Any advice that says you can get rid of malware on the 100% by “just doing this and that” is completely unreliable. Rest assured, your site will be re-infected almost immediately, if not instantly. Manual removal is a tedious process that can lead to failure.

4. Other diagnostics

Scanning your website with a security plug-in is the ultimate way to determine if your website has malware. However, there are a few other options you can try:

• Check the Google Search Console for notifications under the "Security Issues" tab.
• Check Yandex webmaster for warnings, tab "Security and violations".
• Use the browser in incognito mode to visit your website and see if you are shown any annoying ads.
• Google your website to check the search results and try to navigate to your website from the SERPs.

If any diagnostic shows that your site has been hacked, you need to act quickly. Malware spreads quickly and will cause you significant damage if left unchecked.

How to remove wp-vcd malware infection

Now that we have established that your website has wp-vcd malware, we need to focus on getting rid of it. There are 2 ways to remove wp-vcd malware from your website:

1. Use the security plug-in [RECOMMENDED].
2. Remove malware manually.

Before continuing, I should note that these options are NOT equally effective. As I mentioned earlier, wp-vcd malware is often self-replicating and can appear in a wide variety of places on your website. The manual method is sure to leave some malware behind, and you'll be back to square one once your site is re-infected.

I highly recommend using a security plugin because in just a few minutes the malware will be gone.

1. Remove wp-vcd hack with WordPress security plugin [RECOMMENDED]

The best and easiest way to get rid of wp-vcd malware from your WordPress site is to use MalCare. It is the best in class WordPress security plugin for WordPress websites and is trusted by the biggest names in the industry.

MalCare protects over 10,000 websites from hackers and malware daily and has a sophisticated automatic cleaning system that surgically removes malware from your website. Your website will be free of malware in minutes, and all your data will be completely safe.

To remove the wp-vcd wordpress malware from your website, all you have to do is:

1. Install MalCare on your WordPress site;
2. Synchronize your site with MalCare servers and run a scan;
3. Once the results are in, click on automatic cleanup to remove the malware.

That's all! The cleanup completes after a few minutes and all instances of malware are gone.

Why Malcare?

This is one of the best WordPress security plugins currently available for WordPress websites. There are several reasons for this:

• Removes only malware from your website, keeping your code, settings and data completely intact and free of malware.
• The scanner also detects vulnerabilities and backdoors, in addition to malware, so you can eliminate these security loopholes.
• The built-in firewall protects your site from malicious bots.

On top of everything I just mentioned, MalCare actively secures your site. This security plugin is installed on more than 100,000 websites and learns about threats from each of them. So when you add your website, you benefit from all that combined security knowledge—before it becomes a problem.

2. Remove wp-vcd malware manually

I would like to emphasize that this is an inefficient way to clean up malware. I strongly advise against digging into the code of your site. Changing the code without understanding what you are doing can significantly affect your site and break it. Recovery is then a big and often costly problem.

I give a lot of warning before sharing cleanup steps because I've seen manual cleanup lead to horrendous bugs.

Steps to remove wp-vcd malware from your website

1. Back up your site

I always recommend backing up your site, even if it's hacked. Your website is currently running, albeit with malware. If something goes wrong during the cleanup process, you can restore your backup.

2. Download the WordPress core, plugins and themes from the repository

Make a list of the versions of WordPress currently on your website, as well as legitimate plugins and themes. Download their fresh installations from the WordPress repository. They come in handy when trying to find malware in files. You can use the online diff checker to highlight the differences in the code and then identify the malware accordingly.

3. Remove all zeroed software

If you have nulled plugins and themes installed, you need to get rid of them. The Nulled software is riddled with malicious scripts and is known to be the main source of wp-vcd malware. On top of that, the premium software is created and maintained by developers who dedicate their time and resources to building secure WordPress software. It is unfair to them to use their work without compensation.

4. Clean up core WordPress files and folders

By now, you already know how to access your site's files. If you're scraping a website locally or using a file manager to access files, you'll first need to completely replace the folders  /wp-admin And /wp-includes.

The next thing to do is check the following files for wp-vcd malware instances: index.php, wp-config.php, wp-settings.php, wp-load.php And .htaccess. Malware is known to infect the wp-config.php file, so be especially vigilant with it. Find the following signatures: wp-tmp, wp-feed And wp_vcd.
Finally, in the folder /wp-uploads there should be no PHP files at all. Delete everything you see there. This is not typical for wp-vcd malware, but by the time you read this article, things may have changed. This is how fast malware can evolve in the wild.

5. Clean out the /wp-content folder

The /wp-content folder contains all your plugins and themes. Compare your installed versions with fresh installations obtained from the WordPress repository. This will help you narrow down your malware search because then all you have to do is analyze the differences. For example, there may be additional files or distortions in the actual code.

It is important to note here that all differences are not necessarily bad. Individual settings also show up as differences, as do malware snippets. Be careful when deleting code and check your website periodically to make sure it's still working. The wp-vcd malware in null themes usually appears in the functions.php file and then spreads from there.

Note. Don't forget to clean up parent and child themes where applicable. Cleaning just one or the other will lead to re-infection.

6. Clean up your website database

While wp-vcd is usually found in your website files, there may be other pieces of malware in the database as well. Check the wp_options table for the correct options, or check the posts table for spam links that may have been added to your site.

7. Remove backdoors

Even if you get rid of the plugin or theme that caused the infection, this does not guarantee that the malware will be removed, as it may have already spread to the rest of the website. A nulled plugin or theme is just a starting point.

Wp-vcd is notorious for leaving behind backdoors and frustrating all manual cleanup attempts. For example, malware appears instantly when a site reloads. It's because of the backdoors.

Backdoors are like malware and can be anywhere. Look for this code:

eval, base64_decode, gzinflate, preg_replace And str_rot13.

These features allow access from outside the website and can be manipulated like backdoors. Having said that, they are not all bad. So be careful to check the usage of each instance before deleting it.

8. Remove all additional admin users

One of the features of this malware is to add a ghost administrator to your website. Review the list of administrator users and remove any suspicious ones.

9. Repeat this process with subdomains and shared hosting sites

If you have multiple WordPress installations on your domain, or if you have multiple websites on a shared hosting account, be sure to clear all websites. Wp-vcd is notorious for infecting other installations very quickly.

10. Clear WordPress and Browser Cache

Caches store a copy of your website to improve loading and performance. Once you've cleared your website of malware, be sure to clear your caches to remove older versions.

10. Use a security scanner to confirm

This is the finishing line of the cleaning process. All that remains is final confirmation that the malware has indeed been removed.

One of the most annoying features of wp-vcd malware is its almost instantaneous appearance after being cleaned. It can recover from a single instance of forgotten or missed malicious code in any file or folder. In order not to be disappointed when you see that all your efforts are wasted, be sure to re-scan your website.

Why manual cleaning often fails

Even though I have outlined the cleanup steps above, I strongly recommend that you do not perform a manual cleanup. Only WordPress experts should attempt manual cleanup, and let's face it, you wouldn't need this guide if you were a WordPress expert.

Here are just a few of the things that can go wrong with manual cleaning:

• The wp-vcd malware is rapidly spreading throughout the site. It can end up in unexpected places and therefore becomes difficult to find.
• Removing a null theme or plugin that caused a hack is not enough because the amount of malware has increased. The same goes for deactivating themes and plugins.
• In addition to removing all instances of malware, you must also remove all backdoors to prevent re-infection.

The biggest reason manual cleanup fails is due to inept deletion. To be able to distinguish between malware and good code, you need to understand the coding logic. This includes understanding the code itself, what it does, and how it interacts with other code.

How to prevent wp-vcd malware from re-infecting your site

The malware is gone and it's time to take some precautions. Wp-vcd is a particularly stubborn malware that can re-infect a website in the blink of an eye. So, here are a few things to do to keep your site safe and free from malware:

• Never Use Zeroed Softwareno matter how attractive the immediate cost savings may seem. In the long run, you end up paying much more in terms of damage and loss of income.
• Install the security plugin, which will crawl, clean and protect your site. However, keep in mind that even the best security plugin cannot protect against malware that you yourself install on your site.
• Check Administrator Users Regularly; in fact check all users regularly and be sure to apply the least privilege account policy.
• Check rights access to important files.
• Set up a password policy and require all users to set strong passwords for their accounts.

You can also harden WordPress, which includes things like adding two-factor authentication and preventing php from executing in certain folders.

What is the impact of Wp-vcd malware attack on your website

wp-vcd malware may not be immediately apparent to a logged in administrator, but your visitors may potentially see illegal drugs, gray market products, or potentially obscene content in the form of ads. You don't need me to tell you this is bad news.

Here are some of the consequences of the wp-vcd.php malware attack that I have seen on websites:

• Loss of trust from visitors, and therefore loss of income.
• Google blacklist.
• Security issues in Google Search Console.
• SEO ranking drops due to Google blacklisting.
• The site is blocked by the web host.
• Legal issues from disgruntled users.
• Security violations in Yandex.Webmaster.

And much more. In short, all malware is bad and has dire consequences for anyone but the hacker. Since your site is not intended for hackers, take the hack seriously and remove it as soon as possible.

Conclusion

The best way to scan, clean and protect your site from hackers and their blatant malware is to install a security plugin. After all, the wp-vcd.php malware needs a strong security solution to get rid of it, and frankly, manual cleaning never helps.

Also, please do not install software that has been reset. Apart from literally stealing from the developers, this is just bad short-term savings that will be very costly in the long run. I hope you found this article helpful and now have a better understanding of wp-vcd malware.

FAQ

What is wp-includes/wp-vcd.php?

wp-includes/wp-vcd.php is a malicious file created by the wp-vcd malware and hidden in the main WordPress /wp-includes folder. This malicious file allows the malware to replicate itself in different parts of the WordPress website, so even after being cleaned, it often reappears.

The wp-vcd hack creates spam links on your website, creates fake admin users, and shows malicious pop-ups to redirect visitors to spam sites. If you see this file in the /wp-includes folder, your WordPress site has been hacked and you need to clean it up immediately.

What is wp-vcd.php?

wp-vcd.php is a very common malware that infects WordPress websites. Websites are usually infected due to the installation of nulled themes or plugins. The wp-vcd.php virus starts in the zeroed software and then spreads to the rest of the website as well as other websites on shared hosting.

The wp-vcd malware creates spam links on an infected website, fake administrator users, or pops up spam ads to website visitors. This is done to drive traffic to spam sites or increase their ad revenue.

How to remove WordPress WP-VCD malware?

The most effective way to remove wp-vcd.php malware infection is to clean up your WordPress site with a security plugin. You can also remove the malware manually, but this is a complex and time-consuming process with a very low success rate.

Reading this article:

• Wordpress hack - how does malware affect website performance?
• How to safely remove phishing from a WordPress site?

Thanks for reading: SEO HELPER | NICOLA.TOP