Removing the WP-VCD Malware From Your Site
If your WordPress security plugin alerted you in this manner “Backdoor – PHP/wp-vcd.5473” regarding some malicious code, your WordPress site has encountered the WP-VCD malware. Even if this alert isn’t made visible, as are most malware with the possibility of slipping under the most well-trained radars, there are a few symptoms that may hint at the infection.
- Suspicious admin accounts newly created
- Malicious pop-ups appearing on the website
- PHP code is hidden within many folders
- Significant reduction in website speed
- Consuming a lot of resources with no visible reason
Now, let’s go through some details of this malware including its removal.
The WP-VCD malware can compromise your WordPress site in different manners and those who’ve encountered it have had varying levels of success.
Some have been completely unsuccessful, because removing the malware is very difficult, no matter how hard you try. It bounces off to different parts of the site and infects everything, creating many variations along the way that makes it difficult for the person to track and clean up individually.
Even if you’re among the few who have somehow managed to remove the WP-VCD malware from your WordPress site, you’ll quickly realize that there’s no limit to its comebacks and tenacity.
How does the WP-VCD malware function?
The main purpose of this infection is to overwhelm the site and slow down the speed as much as possible. For this, it initiates a search for files that may not exist, making WordPress search repeatedly for such files even when it doesn’t find them. This turns into an infinite loop function and consumes a major portion of the site’s resources, compromising the performance and speed of other visitors and their desired functions.
The worst-case scenario of this situation usually leads to your hosting platform suspending your account due to the worrying level of resources consumed by your WordPress platform alone.
Another function that the malware performs is the addition of anonymous accounts on the admin panel, which allows the hackers to utilize admin privileges and manipulate the site’s function and content to their wishes.
The malware code that performs this has a replicating function, allowing it to plant itself in various files and folders – and the disadvantage lies in its similarity with the necessary WordPress code. It can also work as a sleeper cell, merely injecting malicious links via the code as and when the hacker wishes, until it’s instructed to act further.
Why do you want to remove the malware?
The overloading of the server is a less important reason for the quick removal of this malware. The creation of admin accounts on the site for the hacker to manipulate is a greater threat since this gives them full control of your site and its purpose. It could range from selling illegal medications, stealing financial data of customers, fake branded products, redirecting traffic to sites that will pay them, to use your site as a source of malware to infect other sites and visitors.
As usual, you can depend on the services of a reputed security plugin – like the one offered by security experts in Astra Security – to clean this up, or depend on your skills for WordPress manual malware removal.
This requires extra special skills because of the mutation skills we mentioned before – and the variations are not similar to each other.
Detect the malicious code and suspicious content in core files and folders
The search should be as comprehensive as possible since we don’t know if the hackers will resort to old storage places or find out new ones. There are always basic places where we can start our search – ‘wp-includes/wp-vcd.php’, ‘class.wp.php’, ‘code1.php’, ‘wp-includes/wp-tmp.php’, etc.
Also look out for string patterns with suspicious intent such as ‘tmpcontentx’, ‘wp-tmp.php’, ‘derna.top/code.php’, etc. Always keep in mind that some of these patterns might serve a useful purpose for your site, so if you’re doubtful, don’t proceed further without asking a professional.
Run a diff checker for your core files and folders
As the name suggests, the diff checker notes the differences between two given pieces of code. However, it doesn’t tell you whether the difference is malicious, so your judgment here is important.
For this step, download the original WordPress core files from the GitHub Repository and run a diff check with the copy of your site’s files obtained from the cPanel.
Recheck your extensions, themes, and plugins
A lot of such malware quickly grabs onto sites that have outdated themes or plugins – the loopholes and vulnerabilities in code make it easier to create a backdoor that facilitates the entry of hackers. If a reputed security plugin is installed, it’s easier to monitor these updates and backdoors as well.
Protection from and removal of any malware includes a few consistent steps that every platform user should follow. Beyond this, you can always depend on security professionals.