How to protect your WordPress site for a new malware threat

We’ve written about WordPress security quite a bit, but there’s a new threat gaining a lot of traction. While it’s easy to avoid, WordFance reports a higher rate of new infections from this new malware operation than any other WordPress malware since August 2019. What is WP-VCD and how can you protect your site against it?

WP-VCD, a major malware operation: What is it?

WP-VCD has existed since at least February 2017. However, as we mentioned above, it has picked up significant steam recently, infecting WordPress sites faster than any other malware operation for the past 3 months or so. WordFence has detected changes in WP-VCD malware since they first detected it, but they have noticed a few trends that haven’t changed. First, WP-VCD is spreading itself via “nulled” plugins and themes distributed by a network of related sites. A “nulled” plugin or theme is a pirated commercial plugin or theme (commercial meaning it is sold for money instead of distributed freely). A variety of websites offer “free” downloads of popular commercial plugins and themes, but these sites offer hacked versions of the software that includes the WP-VCD.

What do hacked WP-VCD themes and plugins do if you install one on your site?

As we’ve mentioned before, one of the keys to good SEO results is “backlinking,” which means that other websites point to your website. WP-VCD takes advantage of this SEO technique and manipulates the SEO data of the sites it infects to point to these free download sites. Therefore, these websites have phenomenal SEO because so many sites backlink to them, meaning that these boobytrapped free download sites tend to appear very high in search results.

If you install a hacked theme or plugin to your website, WP-VCD takes over your site within seconds. First, a backdoor user account is added to the site, ensuring that the hackers can log into your site. Then, the WP-VCD code is installed on all your themes, in case you decide to switch to another one. If you host multiple websites on one hosting package, the malware then spreads to all other sites on the system.

WP-VCD also inserts ads on hacked websites. Obviously, the end goal of most hacking operations is to make money, so the ultimate point of hacking a network of websites and pointing them to a website where more people will download boobytrapped software is to maximize the exposure (and thus, profit) of these advertisements.

How can WP-VCD be avoided?

Needless to say, this hacking operation is pretty complex and you don’t want to end up with this malware on your site. Thankfully, however, it is very easy to avoid. WP-VCD doesn’t try to discover a weakness in WordPress software to manipulate; it simply gets installed to a site because a gullible user installed it. If you see a website offering free commercial WordPress themes, it is likely too good to be true. As the old saying goes, you get what you pay for. In this instance, avoiding paying for a commercial theme gets you a huge mess on your hands.

If you find that your website has been hacked, reach out to us and we’ll be glad to help. Thankfully, though, you’ll never end up having to worry about WP-VCD infecting your site as long as you obtain your theme and plugins from legitimate sources.