Almost one in four websites that you visit are powered by WordPress, making it the most popular CMS. However, the CMS seems to have been struggling with the most prevalent malicious infections- the WP-VCD Malware. This malware has a higher infection rate than any other malware affecting WordPress since August,2019. In this post, we will answer questions like – what is WP-VCD Malware, how to detect WP-VCD on your websites and the steps of WP-VCD Malware removal.
What is WP-VCD Malware?
Contents
WP-VCD is a classic example of a URL injection. It creates spam URLs on the websites, hence preparing a backdoor for hackers to access your website. Vulnerabilities in WordPress plugins and themes can be exploited by hackers. You may find an admin with the username “100010010” on your WordPress dashboard. It is created by the malware as soon as it is injected. More malicious codes can be injected by the malware to be misused later. WP-VCD malware spreads itself on websites that offer downloads to ‘nulled’ WordPress themes and plugins.
In the wake of the coronavirus pandemic, there are a lot of websites showing statistics about it. We have noticed that the malware has injected itself into its 1plugins. Hence the makers of the WP-VCD malware are having an upper hand as of now. We can easily gauge how important WP-VCD malware removal is.
Symptoms of a WP-VCD Malware Attack
- Website slowing down due to high CPU usage
- Appearance of spam URLs
- Website suspended by the host
- A lot of malicious pop-ups on the website
- Website redirecting to unsolicited websites
If you are facing these, then it is likely that you are facing a WP-VCD malware attack.
To confirm the hack:
- Scan your website with a malware scanner
- Review “Security Issues” in the Google search console
- Review warning messages by the host, if there are any
- Check your search engine warning messages, if there are any
Step-wise WP-VCD malware removal
Detect the hack:
- The core files of your website and compare it with the original WordPress version.
- After searching your website brand name over Google, check for SEO spam.
- Unknown JavaScript code in the website source code.
- Any unusual PHP files in the wp-includes folder or subfolders.
- Changes in the core files that are supposed to be in the wp-includes folder.
- Check all themes and plugins files stored in the wp-content folder.
Most importantly you should check whether a new WordPress admin user with username ‘100010010’ has been added on your website. This supposedly would have happened beyond your knowledge. Identification of the attack is the first step towards WP-VCD malware removal.
Clean the malware:
WP-VCD is now a known malware. You will surely be able to identify the attack on your website by following the previously mentioned steps. That being done you can now move towards WP-VCD malware removal. There are multiple ways of doing away with this particular malware.
- Manual Clean-up: It deals with core WordPress files, hence technical in nature. Modification or deletion of some core WordPress files is necessary. Therefore accuracy is of paramount importance.
- Automatic Clean-up: By using a malware scanner and initiating WP-VCD malware removal.
1. Manual Clean-up
The first step here involves locating the infected files. We will just quickly summarise the already discussed methods of identification.
- The original WordPress version needs to be compared with the core files.
- Identify any changes made in the file contents or any newly added files.
- Unusual PHP files need to be identified.
- Compare core files with those of the previous clean version.
- Themes and plugin files need to be compared with their corresponding version in theme/plugin directory.
Keep a Keen Eye Out For
- wp-vcd.php in the wp-includes folder
- class.theme-modules.php
- Functions.php across all themes in wp-content/themes/* folder. This includes ones that are inactive.
- wp-tmp.php in the wp-includes folder
- codexc.txt
- code1.php
- admin.txt
- class.wp.php. It is generally found inside the main theme folder.
Search and Remove
This second step involves the manual search and removal of these string patterns. These can be commonly found in the infected files.
- code.php in the derna.top folder
- wp-tmp.php
- tmpcontentx
- stipos($tmpcontent, $wp_auth_key)
- function wp_temp_setupx
The Secret User ‘100010010’ should be exterminated!
The third step involves the removal of something that we have already talked about.
We have discussed here earlier that the malware secretly creates an admin user with username ‘100010010’. It needs to be deleted.
No Use for Inactivity!
The fourth and the last step is probably the easiest. You just need to delete all the themes and plugins that are not active.
It is understandable that it is a tedious process. Unfortunately, the meticulous carrying out of all these steps would not guarantee a 100% hack-free position. A backdoor way might still be open. This wordpress hack could be back with a blink of an eye.
2. Automatic Clean-up
WP-VCD malware removal can be easily carried out in this case and is not as tedious as the manual process.
Locate First and then Clean
You should install and activate a malware scanner. WP-VCD and other complex malware can be detected when you’ll initiate a full website scan through the plugin. You will be able to successfully detect the location of malware injection once the scan is complete.
Once it has located the malware, it will automatically clean it up. The entire website will be cleaned and the WP-VCD malware removal will be complete.
You should also enable a firewall to ensure the protection of your website from further such attacks.
Safety is Paramount!
You need to make sure that the website files and database are absolutely malware-free and clean. Reinfection attempts can be blocked by a Web Application Firewall (WAF). Regular monitoring is also required to check if the website has been tampered with. WordPress themes, plugins, and core should be updated. Nulled themes should be avoided and unused WordPress themes need to be deleted, even if they are disabled.
Astra is There For You!!
An oasis is a welcoming sight to everybody in a cruelly hot desert. Astra Security is the oasis in this large desert of malware attacks. They set you up with the best products in the job. All that you need to secure your WordPress, Astra have it all in one place. Astra do not compromise on your speed while securing every corner of your WordPress. Our aim is to see that your job is hassle-free. Hence, they make WP-VCD malware removal as easy as eating a piece of cake!
Protection is a job given to the most trustworthy. They do that with flying colours. Astra Security is at your service 24×7.