If you are a website owner you might have one day visited your website just to notice that wherever you click on any link a new page loads in a new tab. Sometimes you will see a pop up notification which you didn’t install at all. This abnormally is caused by malware which has infected your website. You have to remove this malware as fast as possible because it can cause bad user experience and at same time you will be losing your traffic to this malware developers. Word-press websites are hugely targeted during malware attacks and your themes and plugins may have some vulnerabilities if not updated constantly. WordPress malware removal services can cost very high, so prevention is always the best in order not to lose your business website to these hackers. at the end of this article I will show you how to protect/prevent your WordPress from being attacked.
In this guide I will be showing you how to remove WP-VCD.php WordPress malware that causes the popups and pop-unders on an infected WordPress website. This malware is popular and many webmasters have had an experience with it so this guide will save you some stress if you find your website infected with it. Before you embark on removing this malware it is advice-able to back up your website so that you can easily restore it to the previous state in case of any mistake. You can use All in one migration plugin to back up your website or any back up plugin that you are friendly with. Once that is done, next is to access your website root folder directory. You can use FTP software like filezilla to achieve this or the file manager tool inside your cPanel account.
Now while inside the file manager locate the website folder that is infected with the malware and click on it. Be careful! don’t delete files inside the folders because it can break your website. Inside the website folder navigate to the wp-includes/ directory, scroll down to see if you can find these two files named wp-vcd.php and wp-tmp.php. If there, delete both of them. The screenshot below shows how the directory looks like if you are using filezilla ftp software. Also optional is to search for the file named class.wp.php, if available delete it too. So in summary the 3 files to delete and its locations are:
/ wp-includes /wp-vcd.php
/ wp-includes /wp-tmp.php
/ wp-includes /class.wp.php
These files are responsible for the pop-ups that occur on your website and the hackers injected it into your website so that they can steal your traffic and do other malicious intent. After deleting the files the next is to edit the theme functions.php and post.php to remove the codes that control these deleted files. This is very important because if not removed hackers can easily get back to your website again. So while still inside the /wp-include/ directory search for post.php file and open it with any text editor. From the screenshot below you will see the lines of code to delete inside this file. Delete it, save it and upload it back to the directory. If prompt for an overwrite message, accept it and the new file will overwrite the existing one.
The next file to edit is the functions.php which is present inside the theme folder. You can reach to this file here /wp-content/themes/THEMENAME/functions.php. Open the file with any text editor and delete the long malicious code inside it. From the screenshot attached below you will see that the codes always ends in ?>. After deleting it save the file and upload it back to overwrite the existing one. Now check your website to see if the pop ups are still there and if not congrats, you have successfully removed the malware manually. In summary you have to edit two php files inside your website folder and below is the file name and location:
/wp-includes/post.php
/wp-content/themes/THEMENAME/functions.php
Congratulation you have successfully removed the annoying malware and it is time to prevent further occurrence. Yes you have to harden your wordpress website using the best anti malware wordpress plugin available such as Sucuri or Wordfence. Install and configure it on your website to prevent hackers from injecting malicious codes into your website. If you have any challenge doing this feel free to contact me.
