Select Page

As I have been working more than 10 years with WordPress I have seen a lot of people do this, use themes that have been cracked, found on google, or downloaded with torrents.
It doesn’t matter where you get them from, they most probably are, infested with malware.

Ermin Klimenta

The most common malware is WP-VCD and if you would like to check if you are in any way affected by this, sitting there, feeling guilty about downloading that theme for free instead of paying 59$ for it. Well, there are two ways, like everything in WordPress you can do it manually or with a plugin.

Option 1: Manually

Using FTP (SFTP) open up your server and open wp-includes/post.php, look at the first line of code and if it matches this

<?php if (file_exists(dirname(__FILE__) . ‘/wp-vcd.php’)) include_once(dirname(__FILE__) . ‘/wp-vcd.php’); ?><?php

this is one indication that you are infected, but also you can check in wp-includes folder for the files wp-vcd, wp-tmp, they are all files that the malware uses to spread itself through the web server. (WordPress installation) – To remove the malware please see Option 2 below.

Option 2:

I have been using this method to remove malware from websites for a long time, the best security plugin out there that I have used is Wordfence. You will need to download this plugin and go to the Scan option from the WordPress dashboard. If the scan stops at an time before it finishes then maybe you will need to play around with the settings a little bit and optimize the Wordfence scanner and have a look at this debugging article.

When the scan is running you will be able to see what is going on and see instantly when Wordfence detects any malware files on your system, after the scan is finished depending on the number of files it finds are corrupted or malware files. There are two cases you will find, Infected files like functions.php and post.php which have added code that looks something like this:

$install_code = ‘c18615a1ef0e1cd813b388b4b6e29bcdc18615a1ef0e1cd813b388b4b6e29bcd[…Blah blah blah..]$install_hash = md5($_SERVER[‘HTTP_HOST’] . AUTH_SALT); $install_code = str_replace(‘{$PASSWORD}’ , $install_hash, base64_decode( $install_code ));

In these cases you will have to manually delete the code from the file and re-upload it to the server.
Another case you will find is a very easy one, wp-tmp, wp-vcd and similar wp-files that are not part of core WordPress can be deleted directly from the Wordfence plugin.
After you have deleted/repaired all the files, run another scan, see if it’s clean, repeat the steps until it’s clean.

At ELAMI we can help you with this, if you have any kind of problems with your WordPress website do not hesitate to contact us for a free informational quotation