If you recently came across a great deal somewhere on the internet and installed a free premium WordPress theme on your website, you might have been a part of one of the largest WordPress malware schemes to this day.

WordPress malware resources are fast becoming more popular. Since WordPress is slowly becoming a predominant platform for creating websites it comes as no surprise that these websites are often targeted by hackers and like-minded hi-tech criminals.

The platform operates 34% of all the Internet resources around the world and supports over 54,000 plugins (stats taken from the WordPress website). Obviously, if you are a hacker – this sounds quite tempting.

Lucky for us, as the number and ingenuity of the WordPress malware engineers rises, the number and quality of the WordPress experts and admins quickly follows.

However, there is a new mode of operation on the market which is applied by hackers with the intention to abuse exactly that – the rising quality and number of WordPress users.

How do hackers exploit the quality, number, and habits of WordPress users? 

First of all, a highly developed scheme produced by a group of hackers whose identities are still unknown uses the website administrators’ best intentions and habits to spread the malware known as WP-VCD.

 The plan is pretty simple, and therefore almost brilliant: the hackers have created a number of websites that offer premium WordPress themes for free.

Some of these websites include (do not open any of them!):












These themes are injected with a sophisticated malware, which is quite manipulatively wrapped up in a package that says “Free Premium WordPress Theme” on it. Website admins, of course, consider this a great deal, especially since SEO for the websites with infected themes was done in a super successful way, so they always appear above-the-fold in search result pages. We’ll talk more about how the SEO is done for these websites a little further below.

Now, here is exactly what happens once the WordPress malware with the infected theme reaches your website:

As soon as the infected plugin is installed, the malware simply spreads to all other plugins on the website. That way, even if the originally infected theme is uninstalled and completely removed from the website, the hackers will still have control over the website.

A backdoor account (usually named 100010010) is added to a site, leaving the hackers with access to the installation – as a registered user.

Another great danger that WP-VCD WordPress malware inflicts on unsuspecting webmasters is spreading throughout your servers in the hosting environment. If you have shared hosting, the malware would simply spread to all the servers in the environment, and do its thing from there.

What do the WP-VCD hackers earn with this WordPress malware?

These hackers know what they are doing and how to do it fast. Their earnings are pretty simple and straightforward, but of great use to them:

1. By accessing your site, the hackers use the infected plugin to insert related keywords and backlinks to their websites (listed above). This technique helps to significantly increase their positions in the search engine results which, in turn, generates more traffic volume for them and enables more and more premium WordPress themes downloads. For free, of course. This is what makes this WordPress scheme so genius – the WP-VCD uses legitimate SEO methods to boost traffic volumes and positions for their websites.

2. The other part of the earnings is the money they collect by injecting ads on the hacked websites. From there, it is pretty much an open avenue for the hacker of how they want to use the ads; whether by redirecting the users to a site of their choice, opening malware popups, showing the ads they are being paid for, etc.

Who are the WP-VCD gang?

As already mentioned in this text, we don’t quite know yet.

The group operates in such a way that their identities are very difficult to determine. The only leak so far has lead to a man named Sharif Mamdouh, according to Wordfence.

There is reasonable doubt on whether this is a stolen identity, or perhaps, the rare case of a real perpetrator being identified.

Some claims of the WP-VCD websites being connected to Joomla websites hacking have surfaced; however, this is still unclear and not considered reliable enough.

How to protect your website from this WordPress malware?

The only answer, for now, is the simplest one – do not download free premium WordPress themes. As tempting as it might be, there is an almost 100% chance these themes are infected with either WP-VCD or some other malware.

We listed some of the websites to stay away from earlier in this post, but this is in no way the final count.

WordPress admins with experience will tell you – if you’d like to have premium features it is best to purchase the plugin and only use well-known and trusted websites, such as ThemeForestDivi Plugins, or CodeCanyon.

 Useful link:  

You can download the Full report on the WP-VCD malware on the Wordfence website here: WP-VCD: The Malware You Installed On Your Own Site.