File appears to be malicious: wp-content/themes/twentyseventeen-Child/functions.php

Hello Guys,

My adds are getting rejected by google, I installed word fence and scanned my website. I found 8 action needed places. Just wondering what should I do, is it okay if I delete those files?

File appears to be malicious: wp-content/themes/twentyseventeen-Child/functions.php
Type: File
Issue Found April 18, 2018 2:56 pm
Filename: wp-content/themes/twentyseventeen-Child/functions.php
File Type: Not a core, theme, or plugin file from
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: $div_code_name=“wp_vcd”;. The infection type is: Backdoor used for backlink injection and other malicious activity…

This alone isn’t “malicious.” Where did you get the twentyseventeen-Child theme from? Did you make it yourself or did you download it somewhere? Could you share the code?

I’ve seen this before and don’t think it is the theme itself that is the problem.

A client of mine had installed a plugin from one of those dodgy sites giving away (or selling at reduced rate) premium plugins.

Once activated, the plugin wrote malicious code to the top of every theme in the WP install. Not just the active theme but every theme, so simply switching themes will not get rid of it.

As far as I could tell, the code was designed to pull in external content to be displayed on the site at some point in the future.

To fix it, you need to do the following

  1. Remove approx 200 lines of code from the beginning of every installed theme.

  2. locate and remove ‘wp-tmp.php’ and ‘wp-vcd.php’ from the WordPress root.

  3. find and remove any instances of an include to ‘wp-vcd.php’ - could be added somewhere like ‘/wp-includes/post.php’

  4. Don’t install nulled premium plugins etc. and always get premium plugins from the original plugin authors to avoid this or similar happening again, and more importantly to support the original plugin author(s).