Deceptive Site

Malware/Virus: Fix and Remove “WP-VCD” from my WordPress

My Wordfence (a security plugin for WordPress) alarmed with the “Critical Problems” flag due to the result of the malware / virus scan from my website. I had a similar incident before, and it was a nightmare for me to fix and retrieve the suspended website back to normal.

The Malware Files

  • wp-content/themes/Divi/functions.php
  • wp-core.php
  • unzipper.php
  • wp-includes/wp-vcd.php
  • wp-includes/wp-tmp.php
  • wp-includes/wp-feed.php

The hacker used “wp-” for naming the files, so it’s hard to determine if these are core WordPress files.

However, I was able to know before Google suspend my website away with the red screen, “Deceptive Site ahead”.

This malware is called, “WP-VCD”. It could create random administrator users to control my settings, and in a worse case, my whole hosting server can be infected.

The Solution

The solution was simple. I was able to just trash/remove below files straight from the file manager on my hosting server (The root directory called, “public_html”).

  • wp-core.php
  • unzipper.php
  • wp-includes/wp-vcd.php
  • wp-includes/wp-tmp.php
  • wp-includes/wp-feed.php

However, the infected “functions.php” file was a bit tricky. The malware attack was placed on the existed theme file so can’t just remove it. You would have to edit the “functions.php” file to fix 100%. But, don’t panic. I will carefully show you what to edit from the file.

Use FTP program like Filezilla, or go to the Cpanel -> File Manager -> Root Directory – “wp-content” -> themes -> (your theme) -> functions.php. Open up the file, and remove the first set of PHP snippets code like below. In my case, remove the very first line of file to the line 184 until you see the ending PHP bracket ?>.

REMOVE THE BLUE HIGHLIGHTED CODE

One side note is always back up each files before you permanently terminate in case you have to go back, and do it as soon as possible before Google red flag on your precious webpage.

Leave a Reply

Your email address will not be published. Required fields are marked *