How to protect your website from the latest WordPress malware threat

An old threat has a new look. We first wrote about a WordPress malware threat called WP-VCD in November 2019. Six months later, it’s back in a new, relevant form — disguising itself as several plugins related to the coronavirus. Here’s more information on the new threat and how to protect your website.

What is WP-VCD?

Just as before, WP-VCD is a piece of malware that is injected into “nulled” plugins. A “nulled” plugin is a plugin usually available for purchase offered elsewhere for free. If this sounds too good to be true, that’s because it is. On many of these websites, purportedly free plugins are injected with malware to display ads on your website.

Once WP-VCD is installed on your website, it installs a backdoor to your site so hackers can manipulate it. It then infects all of your themes so you can’t disable it by switching to a different one. Once it’s up and running, it creates backlinks to these “nulled” plugin download sites, which gives those malicious sites better search engine rankings. For more information on how this malware works, make sure to read our previous article about WP-VCD from last year.

Is WP-VCD easy to avoid?

The method for installing WP-VCD on your website hasn’t changed. Hackers aren’t trying to hack your website to install this malware; they only access it once you have installed it yourself. It only spreads to websites that have had an administrator manually install an infected plugin unknowingly.

Thankfully, that means WP-VCD is very easy to avoid. Only download plugins through the WordPress built-in plugin library and from trusted third-party sites and you’ll be fine. If you want a premium plugin that costs money, it’s worth it to buy it from its source. If you find a website offering paid themes or plugins for free, there’s a chance these are infected with malware.