How to Prevent wp-vcd malware Attacks on Your Website?

If your WordPress security plugin is flagging your website with a message Backdoor: PHP/wp-vcd.5473 – malicious code; it is possible that your website is infected with wp-vcd malware. This error must have raised a bunch of questions in your mind related to malware infection. For instance, what is wp-vcd malware?, how can it alter the behavior of your website?, how to safely remove it from your WordPress website? etc. The only problem is that you don’t know where to start. Don’t worry, we are here to answer these questions for you. Just stick with us for a few more minutes to get the information in detail.

The WP-VCD malware has been creating havoc since its first introduction. Over the years, it has formulated new means to hide in themes and plugins by leveraging the security loopholes. More than 20,000 WordPress websites run premium themes infected with wp-vcd malware. This malware can also open up the backdoor in your website by creating hidden admin users.  Hence, it is important to understand the basics of malware infection before its removal. Therefore, before discussing the symptoms and removal of malware infection, we will discuss the basics of wp-vcd malware.

What is WP-VCD malware?

WP-VCD malware is the topmost threat to the security of a WordPress website. It is spread via null or inactive themes or plugins distributed by related sites after which it will spread itself to the websites that install them. What is more worrisome is that during the covid-19 pandemic, there have been multiple reports suggesting that this malware was injected into various links related to coronavirus statistics.

The wp-vcd malware is a piece of PHP code that adds hidden admin users and injects malicious URLs in your website’s content. The general form of malware looks like codes in a given image.

@lt wp-vcd malware

Source: Malcare

How does the malware work?

To fully understand the risks of a malware attack, it is essential to understand how a malware attack alters the behavior of your WordPress website.

When a malicious code is injected, it usually stays in the core files such as functions.php/index.php. When someone visits your website via a browser, the malware will make a call to the files of your website. If these files are not found in your website, functions.php will get executed again and again creating a loop or in security language, a ‘forkbomb’.

Source: Wikipedia

Deploying malicious scripts

The first step of a malware attack includes the deployment of malicious scripts in the website content. In case of an attack, you will find these codes in the functions.php file of your theme.

This code essentially checks whether the deployed scripts are available and executes them. In the above code, you can see that the file called is the class.theme-modules.php. But depending on the source of the infection, the malicious script will sit in file class.theme-modules.php or class.plugin-modules.php.

Creates Backdoor

This code is used to create a backdoor in the website by creating hidden admin users with a name of 100010010. The objective of this admin account is to create a way back for hackers even if you delete the malware.

How to remove wp-vcd malware from your website?

There are two ways to clean your website of a wp-vcd malware infection: (1) By using a WordPress malware cleaner and security plugin and  (2) Manually. We will discuss both ways to clean your website. But, usually, manual removal is not recommended as it is very tricky. And if you miss even a single semicolon(;), it will wreck your entire website.

1. Manual removal of malware

  • The first step before any malware removal is to take backups of all the files in your website.
  • Remove the WP-VCD.php file from the WordPress core. It contains a file named functions.php that contains malware codes.
  • Do not forget to delete class.theme-modules.php and class.plugin-modules.php, otherwise, the malware will keep generating again and again.
  • Delete the wp-includes/wp-vcd.php file from the WordPress install directory.
  • Look for the files wp-includes/wp-vcd.php; wp-includes/class.wp.php; wp-includes/wp-cd.php; wp-includes/wp-feed.php; wp-includes/wp-tmp.php; in the WordPress install directory. If present, delete them.
  • Search for malicious string patterns found in infected files.
  • Run a check (diff) to ensure that codes are authentic and clean.
  • Run a malware scan.

2. Using a security plugin

The best security step you can take for your WordPress website is to install a security plugin. Astra Security Suite is one of the most reliable and trusted plugins available in the market today. With Astra, you will never have to worry about any credit card, pharma malware hack, XSS, SEO Spam, SQLi, brute force attacks and other 100+ threats. Astra’s installation takes less than 5 minutes.

How to protect your website from wp-vcd malware?

Once you have removed the malware from your website, the final and most important step is to make sure that your website does not get infected again. Follow these steps to prevent malware from breaking into your website.

  • Enable the popup blocker.
  • Always keep the core updated. The same goes for themes, plugins and other software.
  • Uninstall the inactive themes and plugins.
  • Avoid installing free third-party pieces of software.
  • Use a rock-solid firewall.
  • Take backups regularly.

Hopefully, we have hit all the key points of the wp-vcd malware attack. If you have questions, drop by comments!

PRIYA JAMES is a Cyber Security Enthusiast, Certified Ethical Hacker, Security Blogger, Technical Editor, Author at GBHackers On Cyber Security

Leave a Reply