Why does wp-vcd keep coming back after I delete it?

Because it lives in every theme at once. As soon as one copy is loaded by WordPress, it re-creates the others. The only fix is to remove every copy in a single pass and break the loader.

Do I need to reinstall WordPress to get rid of it?

Usually no. WordPress core is rarely modified by wp-vcd. The malware lives in themes, occasionally in plugins, and in a handful of database rows. Targeted cleanup is faster and safer than a full re-install.

Will my custom theme survive the cleanup?

Yes. We remove the injected loader from the top of functions.php and leave the rest of the file intact. Your customisations are preserved.

How do I avoid re-infection?

Stop using nulled plugins and themes. The report names the exact source of your infection so you can remove it permanently.

// WP-VCD · WORDPRESS · REMOVED

wp-vcd malware removal.

The wp-vcd family copies itself into every theme on the install, which is why it keeps coming back after you delete it. I clean every theme, every functions.php, and the loader that re-installs it. Flat $279.

Start a cleanup → How wp-vcd spreads

§ 01 — MECHANISM

It comes in with a nulled plugin and stays for months.

wp-vcd is a long-running WordPress malware family. It almost always arrives bundled with a pirated theme or plugin downloaded from a free-download site. Once on the server it copies itself into every theme on the install and modifies every functions.php to load it on every page request.

Deleting one copy is useless — the others restore it on the next page load. Cleaning it properly means finding every copy at once, removing them together, and breaking the loader that re-installs them.

// grep — wp-vcd loader signatures

01 grep -rn 'wp-vcd\|class.plugin.php\|tmpcontentx' \\
02     wp-content/themes/
03
04 // Loader is usually a base64-encoded blob at the top
05 // of functions.php in every theme on the install.

§ 02 — WHAT WE REMOVE

Every copy, every theme.

[ TRIAGE ]

Every theme on the install is listed. Each functions.php is compared against the original from the theme vendor.
[ FILES ]

wp-vcd.php and class.plugin.php removed from every theme directory at once so they can’t restore each other.
[ FUNCTIONS.PHP ]

The injected loader at the top of each theme’s functions.php is removed; the rest of the file is preserved.
[ BACKDOORS ]

wp_user accounts created by the malware deleted. Hidden admin users — a wp-vcd signature — purged.
[ HARDENING ]

Themes installed from unknown sources flagged. I recommend replacements where the original is unobtainable.
[ REPORT ]

Plain-English forensic write-up, source of the infection identified, what to remove before I sign off.

§ PRICE

Flat $279. One-time. Per site.

[ RESCUE ]

$279

FLAT · ONE-TIME · PER SITE

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup →

[ SHIELD ]

$29 / mo

PER SITE · CANCEL ANY TIME

Continuous monitoring, hardening, one cleanup per year included.

Get protected →

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Start an engagement.

Send the scope, stack, and timeline. You get a written proposal with a fixed quote.

Contact →