New Malware Strikes Biggest WordPress Vulnerability

If you have your own WordPress website (which you should), then you really need to read about a new type of dangerous and clever malware that’s currently in the wild.

I really like WordPress. It’s free, open-source, and very flexible. It is able to make almost any kind of site, from a simple blog to an eCommerce site. However, it does require regular care and feeding, and if you don’t know what you’re doing, you can get into some trouble.

That’s apparently what has happened to a lot of sites that have been infected with malware known as WP-VCD. This malware is spread by the weakest link in many websites and organizations – a careless site administrator.

Self-Inflicted Vulnerability

WP-VCD is primarily spread by infected plugins and themes that are installed on the site by a legitimate administrator. The acronym PEBKAC is short for “Problem Exists Between Keyboard And Chair”.

These infected plugins and themes are free “cracked” versions of paid plugins that are hosted on a large number of sites. Although the files are hosted on a large number of sites, the downloads all point to the same few cracked files, meaning there is a large network in the background spreading these files to different file servers across the internet.

As soon as you install an infected theme or plugin, WP-VCD goes to work on your site by inserting unwanted (and dangerous) ads on various pages in your site as well as adding links to pages that can direct even more traffic to download the infected files. This black hat SEO functionality is how sites hosting WP-VCD-infected files rank so highly in Google.

Your New (Sometimes) Zombie Site

It’s not just a static, one-time infection, though. The links that are inserted into your site can be controlled remotely by the attacker, so if they need to lay low, they can hide from both a site administrator and Google. If they need more ad revenue (or they want to spread a new malware file), they can turn up the links on the hundreds of infected sites to increase their Google search presence. Indeed, this malware can remotely control most aspects of your site at the whim of whoever controls it.

In addition to injecting these malicious links, ads, and files into your website, the malware also gives the attacker a persistent backdoor into your website that can be difficult to completely shut, even once you remove the infected plugin.

Lots more information on this threat can be found in an excellent 20+ page report by WordFence.

The Solution?

Needless to say, this is why it’s important to make sure you take your site’s security seriously.

While these attacks may seem a minor inconvenience at first, if your website is hosting malware, not only will it be removed from Google search results, it may also be deleted by your hosting provider. Finally, sites that link to malware can be blacklisted by Google, so even if you clean off your site, your domain name ( may be filtered out of Google’s results for months or years. If you depend on people finding your site for business, this is obviously not a good thing!

If you’re looking for help managing (or creating) a website, contact me and I’ll be happy to help you out. I’m currently managing websites for a wide variety of individual and business clients, and I would be happy to make your space on the web safe and secure!