WP-VCD Malware Reattack on your Wordpress site
WP-VCD Malware Reattack on your WordPress site
WP-VCD is a malware that creates backdoors in your website by adding other hidden WordPress admin users or a backdoor account with the name 100010010 .This exploit then allows the attackers to have full access to your site and maintain a persistent foothold on these infected sites.
A thorough research by Wordfence found out that the rates of VCD attacks have been on the rise since August 2019.
WP-VCD has been around since at least February 2017, becoming more and more prevalent over the course of that year.
Nowadays, Wordfence says WP-VCD is today’s top hacking group on the WordPress landscape.
The attackers sole intention is monetization which comes from two main sources:
- viral marketing activity intended to manipulate search engine results
- malvertising code which creates potentially dangerous redirects and pop-up ads for users on a compromised site.
How it spreads
- Using outdated WordPress plugins & themes for your site.
- Downloading and installing free pirated premium WordPress themes
- Downloading and installing free crafty plugins.
- Not using any firewall or security option for your site
Symptoms of an infected site
- A new user with administrator privileges is added to your site without your knowledge
- Potentially dangerous redirects and pop-up ads for users viewing a your site.
- Unknown PHP files in the wp-includes folder which are not there in the WordPress GitHub repository
- There are PHP files in the wp-content/uploads directory and it’s sub-directories
- S.E.O Spam-Spammed search results
- Suspension of your hosting account to prevent the spread of the malware to other users of the your hosting company.
Fixing and prevention ofthe problem
- Wordfence is a security plugin that can fix this problem for you both in their free and premium versions
- Manually search your server for files that are usually targeted by VCD.ie The wp-upload and wp-include and delete the infected files if found.
- Install a Web Application Firewall (WAF) to block re-infection attempts
- Delete unused WordPress themes and plugins (even if disabled)
- Completely avoid and removed pirated themes on your website
- Update WordPress core, plugins and themes
- Delete Suspicious users in your account
Download and read the official whitepaper by WordFence on this issue below
About The Author