WP-VCD malware / hacking attack full solution

WP-VCD malware, What is this?
What will happen if this malware attack to my website?
How does this malware attack my website?
How can I remove WP-VCD malware from my site or theme & plugins?

What is this WP-VCD malware?

WP-VCD is a WordPress malware inject by wp-vcd.php into WordPress core file and Rewrite function.php and class.wp.php file to put the malicious code and creates a secret admin user and hacker can control full website by put WP-VCD malware.

This wp-vcd malware was first found online by Italian security researcher Manuel D’Orso.


What will happen if this malware attack to my website?

If this malware attack to your website, the hacker gets a secret a new admin user named 100010010.
Hacker injected malicious code to rewrite into WordPress core files such as functions.php and class.wp.php and the problem is if you want to delete malware code form functions.php file, the code add again after saving edit file.You can’t remove script before remove to the main WP-VCD file. Some attacker injects pop advertisement into your website.

if you have attacked by this malware your function.php code will be this type :

function.php file after attack WP-VCD-malware

How does this malware attack my website?

This malware scatters by Null premium themes/plugins, that we have downloaded from the third-party free download website. Those null version themes/plugins injected WP-VCD malware creating encoded scripts by “class.theme-modules.php” and “class.plugin-modules.php” file on every Null or premium free themes and plugins.

How can I remove WP-VCD malware from my site or theme and plugins?

This malware injects in premium theme free version, so becare full before using premium themes free by downloading untrusted websites.

My suggestion, Please create a backup before doing this.
So, the process is to remove WP-VCD script from the attacked website.
At first, you need to remove WP-VCD.php file for WordPress core wp-includes folder rewritten function.php file.
You can use a plugin to find malware code form your website, Wordfence Security and Anti-Malware plugin are best one of them.
Or you can find malware manually and delete them.

Before doing this step, you need to delete malware creator file form your theme and plugins. otherwise, malware will generate again. WP-VCD malware creator script file and is “class.theme-modules.php” and “class.plugin-modules.php”

Then go to WordPress install directory and then go wp-includes folder, you get the malware for example: wp-includes/wp-vcd.php

Must be delete those file if you found into your directory all or file are unnecessary for WordPress, wp-includes/wp-vcd.php, wp-includes/class.wp.php, wp-includes/wp-cd.php, wp-includes/wp-feed.php, wp-includes/wp-tmp.php

Then open function.php to remove malware script

Remove the extra code form function.php files.

How can you find WP-VCD malware generator into theme and plugins?

After downloaded theme and plugins extract the file, for search malware generator file you need to download two software, Everything, and grepWin

After installing both software you get two options if you right client any folder.

Then right click theme and plugin folder, then click “search everything” if have plugin find with this “class.plugin-modules” and have then find “class.theme-modules”, do same in grepWin.

In “search everything” if you found any file, delete them. Then in “Search with grepWin” if you found any file in search, you can see like this

Open them and delete code like the screenshot.

<?php if (file_exists(dirname(__FILE__) . '/class.plugin-modules.php')) include_once(dirname(__FILE__) . '/class.plugin-modules.php'); ?>

Everything has done, you have successfully removed WP-VCD malware / hacking script into your website.
If you have any questions or updates tips information about WP-VCD malware please comment


Please enter your comment!
Please enter your name here