How to remove WP-VCD virus from WordPress

Is your website infected with the WP-VCD virus or malware? This is one of the most common malware to infect WordPress sites. Don’t panic, removal of this virus is quite simple. This article will discuss how to remove WP-VCD virus from WordPress.

What is the WP-VCD Virus?

WP-VCD virus often infect sites that use nulled WordPress templates or plugins. Nulled templates and plugins are those which are available for download for free but not from the original developers. So, a person usually ends up with modified or unsecure version of the template or plugin. This is a major concern with WordPress sites as many templates are quite expensive, so designers opt for free sources but end up infecting their sites.

What does the WP-VCD Malware Code Look Like?

The malware infects mainly the functions.php file of the WordPress templates. If you open up the functions.php file, you will notice a code similar to what is shown below:

wp-vcd virus code

In addition to infecting the functions.php file, the malware also adds three other files to your WordPress site directory. They are wp-vcd.php, wp-feed.php and wp-tmp.php. These files are not part of the main WordPress core files.

How Does an Infected Site with WP-VCD Virus Behave?

A site infected with WP-VCD will redirect users to other suspicious sites. In addition, mobile users will be prompted to receive notifications from those suspicious sites. The site will often load very slow. Users may even get 504 Gateway error. Sites will open after multiple tries and even then, very slowly. The website host will eventually find out that the site is infected and may terminate service if the malware code is not removed.

How to Remove WP-VCD from a WordPress Site

Follow these steps to remove the WP-VCD virus from your WordPress site.

  • Login to your WordPress administration panel
  • Click on Plugins > Add new and search for “wordfence” plugin. Install the plugin and activate it.
  • Click on Wordfence from the admin menu bar and select Scan
  • Wordfence will perform a thorough scan and list the infected files
  • From the list of identified files, delete wp-feed.php, wp-vcd.php and wp-tmp.php files
  • If you are using a twety-series WordPress templates, such as twenty-twenty, you could repair the functions.php file, if not, follow along
  • Your functions.php file is likely to be flagged by Wordfence. If a repair option is not given by Wordfence, be careful, do not delete the file.
  • Click on Dashboard > Updates and see if an update is pending for your template. If so, download the update. This will replace the current infected functions.php file of the template with an uninfected one. If an update is not available, you may need to change your current theme with a reputable one. If that’s not an option, you will need to delete the portion of the code which belongs to the virus. If you are not familiar with php codes, this may break your WordPress site. So, it’s advisable you seek advice from a developer to modify your functions.php file. Usually the malware code ends with this line:
    wp-vcd code ending
  • Once you have successfully updated your functions.php file to remove the malware code, proceed to delete other unused themes from your WordPress site. This can be done by logging in to your FTP account and going to /wp-content > themes. Delete all unused themes as their functions.php files are likely to be infected by WP-VCD.

At this point, perform another Wordfence scan and your site should come clean. One piece of advice, be extra careful with handling your functions.php file. It can completly break your site if not edited properly. If you do break your site, login to your webhost’s Cpanel and look for Backup Restore option. Then, backup the most recent functions.php file to the right directory and it should start to work again.

Consider changing your admin password. This will protect your site from future malicious attacks. Also, consider installing plugins which enhance the security of your WordPress site.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.