Wordpress Malware

WP-VCD malware / hacking attack full solution

WP-VCD malware, What is this?
What will happen if this malware attack to my website?
How does this malware attack my website?
if you already effected by wp-vcd, How i can permanently remove it?
How can I remove WP-VCD malware from my site or theme & plugins?

What is this WP-VCD malware?

WP-VCD is a WordPress malware inject wp-vcd.php and wp-tmp.php malware file into on WordPress WP-includes folder, WP-includes is WordPress core file folder.

And it rewrites all the function.php file form all the themes and put the malicious code and creates a secret admin login and hacker create a backdoor on your Cpanel to access files and email featured on your server.

And hacker also put adds code on your website pages by javascript. We will talk about the details about it and also the permanent solutions.

This wp-vcd malware was first found online by Italian security researcher Manuel D’Orso.

What will happen if this malware attack to my website?

If this malware attack to your website, the hacker gets a secret a new admin user named 100010010.
Hacker creates wp-vcd.php and wp-tmp.php, two malicious files on wp-includes.

And rewrite your all themes functions.php files add malicious code.
The problem is, If you want to delete malware code form functions.php file, the code add again and again after saving.

You can’t remove the malware script before remove to the main WP-VCD file form wp-includes folder.

By wp-tmp.php hacking file, hacker injects pop and manual advertisement on your website main page or other most viewing pages.

wp-tmp.php add injector code

Sometimes it creates the class.wp.php file.

How you can be notified if WP-VCD malware have attach on your website?

The best solutions ever I have seen to use Astra secure services, not only WP-VCD malware, it makes security a 5-minute affair: from a With a Web Application Firewall, On-demand Malware Scanner, self-managed Vulnerability Assessment & Penetration testing, Bug bounty program, all under one dashboard.

Here is the screenshot from the Astra’s Malware Scanner where it has detected a WP-VCD malware.

How to use Astra:

It takes less than 5 minutes for you to setup Astra on your website. Just sign up here, add your website & let Astra’s Awesomeness take over your website’s security!

Also, you can use the iThemes Security plugin to scan your WordPress website form the WordPress dashboard. If the malware has found it shows this type of winning for wp-tmp.php malware.
and Wordfence Security plugin it shows you if have any unfortunate activities on WordPress core file it can detect wp-vcd malware.

iThemes Security plugin scanning results

if you have attacked by this malware your function.php code will be this type :

function.php file after attack WP-VCD-malware

How does this malware attack on your website?

This malware scatters by Null premium themes/plugins, that we have downloaded premium themes/plugins in free from the third-party download website. Those null version themes/plugins injected WP-VCD malware creating encoded scripts by “class.theme-modules.php” and “class.plugin-modules.php” file on every Null or premium free themes and plugins.

if you already effected by wp-vcd or class.theme-modules.php malware, How you can remove it permanently?

“In this video, I have to show everything, This video is in two-step one is how to notify and confirm if wp-vcd malware has attacked the website and The second step is how you can remove this permanently”

At first, you have to create full backup your while website files.
Then you need to remove WP-VCD.php file for WordPress core wp-includes folder rewritten the function.php file.
Go on the wp-includes folder and then find wp-vcd.php and wp-tmp.php and delete them, for example: wp-includes/wp-vcd.php , wp-includes/wp-tmp.php and wp-includes/wp-feed.php

and then you have to delete malware creator file form your theme and plugins. otherwise, malware will generate again. WP-VCD malware creator script file have on the themes and plugins folder, for theme “class.theme-modules.php” and if it has plugin “class.plugin-modules.php”.

To remove those file you have to download the file plugin (wp-content/plugins) and thems (wp-content/themes) folder to create zip and then extract it on your computer and flow the next step to remove the malware fines.

Also, You can delete all unnecessary themes, then you have to remove the malware code from functions.php folder form all the themes (wp-content\themes\themename).

Go the the WordPress directory (wp-content\themes\themename)
Then open function.php and remove malware script

Remove the extra code form function.php files. You can use notepad++ if you don’t have you can install this editor. then search or press ctrl+f to search the ending on notepad++ by this code “end_wp_theme_tmp” this is the ending of functions.php file malware. ” //wp_tmp //$end_wp_theme_tmp ?> ” select all of those upper line code and remove it(like screenshot) then save the file.

it all will be doing easy if you download the themes and plugins folder to create the zip, after doing all the things you can delete the old folder and upload the fresh fodder to create zip and extract them on the current directly.

How can you find WP-VCD malware generator into theme and plugins?

This malware injects in premium theme free version, so becare full before using premium themes free by downloading untrusted websites.

You need to delete malware creator file form your theme and plugins.

After downloaded theme and plugins extract the file, for search malware generator file you need to download two software, Everything, and grepWin

After installing both software you get two options if you right client any folder.

Then right-click theme and plugin folder, then click “search everything” if this plugin finds with this “class.plugin-modules.php”

And if it theme finds with this “class.theme-modules.php”.
if have the malware create the file on your plugins and themes then you will see this type of file like the screenshot, must delete all of them.

After that, we have to clean the malware file include script form file. Right-click theme and plugin folder and then you will see “Search with GrepWin” option click on that and do the same thing, for theme class.theme-modules.php and for plugin class.plugin-modules.php after search you will see like this.

Open them and delete code like the screenshot for plugin

<?php if (file_exists(dirname(__FILE__) . '/class.plugin-modules.php')) include_once(dirname(__FILE__) . '/class.plugin-modules.php'); ?>

And For Theme

<?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>

And now just you have to create zip theme and plugin folder to upload into your website directly where it had.

After successfully doing all, you are welcome, you have successfully removed WP-VCD malware / hacking script form your website, themes and plugins.

Everything has done, you have successfully removed WP-VCD malware / hacking script into your website.

If you have any questions or any problem you can comment and try to contact with me via live chat


  1. we folllowed your guide to remove wp-vcd, and we deleted class-wp.php these are the two errors you will see, can you please check this

    Warning: require(/homepages/38/d788609936/htdocs/clickandbuilds/TovFoods/wp-includes/class-wp.php): failed to open stream: No such file or directory in /homepages/38/d788609936/htdocs/clickandbuilds/TovFoods/wp-settings.php on line 114

    Fatal error: require(): Failed opening required ‘/homepages/38/d788609936/htdocs/clickandbuilds/TovFoods/wp-includes/class-wp.php’ (include_path=’.:/usr/lib/php7.2′) in /homepages/38/d788609936/htdocs/clickandbuilds/TovFoods/wp-settings.php on line 114
    The site is experiencing technical difficulties.

    • Hi, I will be happy to give the solution.
      This Warning is for, wp-VCD malware linkup wp-vcd.php file form wp-includes/post.php file, include_once link mean if the fine is not found, php show you a Warning, same that you get.

    • The solution is, Downalod the WordPress core file form here: https://wordpress.org/latest.zip and then totally remove wp-includes folder form your website, and then upload wp-includes folder that you have download form WordPress website. if you will get an issues about WordPress update issues after doing this also delete the wp-admin folder form your theme and re-upload it form your downloaded WordPress fresh file form WordPress website.

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment