WP-VCD is one of the most common and persistent WordPress infections. It spreads through nulled themes and reinfects faster than you can clean it.
WP-VCD is a specific family of WordPress malware that has been actively spreading since 2017. It's one of the most common infections we see because it's distributed through nulled (pirated) themes and plugins downloaded from file-sharing sites.
The malware typically lives in wp-includes/wp-vcd.php and propagates by injecting malicious code into the functions.php file of every theme on your site — including inactive themes. It creates unauthorized admin users, injects SEO spam links, and deploys backdoors for remote access.
What makes WP-VCD particularly nasty is its regeneration logic: cleaning the visible infection isn't enough. The malware hooks into WordPress events so that on the next page load, it rewrites itself to all theme files and adds fresh backdoors. Complete cleanup requires finding every instance simultaneously.
WP-VCD is distributed almost exclusively through nulled themes and plugins downloaded from piracy sites. If you installed a "free" premium theme, a cracked plugin, or a GPL download from a non-official source in the last year, that's the most likely entry point.
WP-VCD injects itself into every theme's functions.php and plants multiple backdoors. If you clean only wp-vcd.php but miss the backdoors, the malware regenerates within hours. Complete removal requires cleaning all injection points at once.
Yes, strongly recommended. Nulled themes/plugins are the #1 vector for WP-VCD and many other malware families. Either purchase legitimate licenses or use free alternatives from the official WordPress.org directory. One reinfection costs more than a yearly license.
The longer malware stays, the harder recovery becomes.