How to clean a WordPress web site infected with the wp-tmp.php virus

We came across this nasty, self-replicating virus last week that managed to insert its code into one of our customer's sites. There were no obvious signs until the customer tried setting up some Google Ads and Google's system flagged the site as being infected.

We dug around and used the Securi web site virus checking tool to help identify the issue. This showed up some of the malicious URLs that the site was being pointed to but couldn't show us exactly where in the site's code the virus was planted.

The virus is also known as WP-VCD Malware and once planted, gives hackers complete control over your site. Often it is used to redirect traffic to other sites and send spam e-mails.

Here is how we cleared the virus from the infected site:

1. Deleted all theme folders in wp-content/themes which were not being used by the site, leaving just the one folder for the site's theme
2. In that folder e.g. wp-content/themes/twentytwenty - we checked the 'functions.php' and removed the malicious code
3. In the 'wp-includes' folder deleted 'wp-tmp.php' and 'wp-feed.php'
4. Logged into WordPress and performed a full update of WordPress, all plugins and themes
5. Installed a virus scanner and firewall (we used the free version of WordFence)
6. Changed the cPanel password to the account
7. Changed the WordPress password for all users

Please note that if you have more than one instance of WordPress installed on the same hosting account then it is likely that these additional sites are also infected, too.

This is a nasty virus but hopefully this guide will help. If you're still having problems though, please get in touch.