Title: wp-feed.php Last modified: September 27, 2017 --- # wp-feed.php * Resolved [Rik0399](https://wordpress.org/support/users/rik0399/) * (@rik0399) * [8 years, 7 months ago](https://wordpress.org/support/topic/wp-feed-php/) * Hi, * I keep getting a message saying ‘../wp-includes/wp-feed.php’ is not part of the wordpress installation in which wordfence suggests its malicious? * So I delete it and then it automatically re-creates itself? * Any ideas please? Viewing 8 replies - 16 through 23 (of 23 total) [←](https://wordpress.org/support/topic/wp-feed-php/?output_format=md) [1](https://wordpress.org/support/topic/wp-feed-php/?output_format=md) 2 * [larrygold](https://wordpress.org/support/users/larrygold/) * (@larrygold) * [8 years, 2 months ago](https://wordpress.org/support/topic/wp-feed-php/page/2/#post-10063417) * Hey guys, * I’m having the same issue as you. [@entr0phy777](https://wordpress.org/support/users/entr0phy777/), I had also installed Ajax Search Pro a few days ago and it may be the cause of this issue. * Has anyone any other idea? * Best, * Larry * [bmerigan](https://wordpress.org/support/users/bmerigan/) * (@bmerigan) * [8 years, 2 months ago](https://wordpress.org/support/topic/wp-feed-php/page/2/#post-10063471) * I doubt you need “any other idea”. The issue and solution are listed in the replies to the original issue in this topic. * Look at the start of functions.php, there is likely a malicious file being “included” there. I’ve seen both class.theme-modules.php and class.plugin-modules.php * The files you should check for and delete: wp-feed.php wp-vcd.php wp-tmp.php Remove code from the start of all the functions.php files. Delete multiple copies of class.theme-modules.php or class.plugin-modules.php * You must check every folder and check every functions.php you find. - This reply was modified 8 years, 2 months ago by [bmerigan](https://wordpress.org/support/users/bmerigan/). * [Marcelo Mika](https://wordpress.org/support/users/marcelo-mika/) * (@marcelo-mika) * [8 years, 1 month ago](https://wordpress.org/support/topic/wp-feed-php/page/2/#post-10125856) * my apologies for being late! * Could you solve it? * If they could not, the best thing is: * 1. Check all the WordPress sites in the shared hosting. 2. Deactivate and eliminate each Plugin or theme from DOWNLOAD NULLED 3. Search all the files function.php the malicious code, and delete it, save file changes. 4 Search files : * wp-feed.php wp-vcd.php wp-tmp.php * – These can change location, before removing the code from function.php it is convenient to see what are the routes that you specify for these files. * This would have to clean the installation of each domain in the hosting. * Recommendation: before starting, make a backup of each site. * To know when the site was modified for the last time, list the folders so by modification date. * Generally, when something is modified within them, the date changes, and that gives us a clue as to where you could hide malicious code. * Saludos. - This reply was modified 8 years, 1 month ago by [Marcelo Mika](https://wordpress.org/support/users/marcelo-mika/). * [bmerigan](https://wordpress.org/support/users/bmerigan/) * (@bmerigan) * [8 years, 1 month ago](https://wordpress.org/support/topic/wp-feed-php/page/2/#post-10127160) * When the files are changed, the malicious code also resets the modified date back to what it was, so you can’t tell that way. * [18TommyBoy](https://wordpress.org/support/users/18tommyboy/) * (@18tommyboy) * [8 years, 1 month ago](https://wordpress.org/support/topic/wp-feed-php/page/2/#post-10137115) * Yes it is a Merna malware, and the password can stole too. When You want a sample, I have from net: [http://www48.zippyshare.com/v/ejhWVlpP/file.html](http://www48.zippyshare.com/v/ejhWVlpP/file.html) * But don´t ask, why Wordfence can´t it delete from site… - This reply was modified 8 years, 1 month ago by [18TommyBoy](https://wordpress.org/support/users/18tommyboy/). * [bmerigan](https://wordpress.org/support/users/bmerigan/) * (@bmerigan) * [8 years, 1 month ago](https://wordpress.org/support/topic/wp-feed-php/page/2/#post-10137413) * Some good info here: [https://www.rastating.com/malware-being-distributed-with-wordpress-plugins/amp/](https://www.rastating.com/malware-being-distributed-with-wordpress-plugins/amp/) * [yaram](https://wordpress.org/support/users/yaram/) * (@yaram) * [7 years, 8 months ago](https://wordpress.org/support/topic/wp-feed-php/page/2/#post-10592192) * Hey guys, I’m facing the same issue on my site, Have you been able to find the root cause / script for this issue? * [bmerigan](https://wordpress.org/support/users/bmerigan/) * (@bmerigan) * [7 years, 8 months ago](https://wordpress.org/support/topic/wp-feed-php/page/2/#post-10592372) * There’s should be enough info here for you to find and remove it. Just remember accessing your webpage reinstalls it if you’ve not removed every malicious file. Viewing 8 replies - 16 through 23 (of 23 total) [←](https://wordpress.org/support/topic/wp-feed-php/?output_format=md) [1](https://wordpress.org/support/topic/wp-feed-php/?output_format=md) 2 The topic ‘wp-feed.php’ is closed to new replies. ## Tags * [hacked](https://wordpress.org/support/topic-tag/hacked/) * [problem](https://wordpress.org/support/topic-tag/problem/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 23 replies * 15 participants * Last reply from: [bmerigan](https://wordpress.org/support/users/bmerigan/) * Last activity: [7 years, 8 months ago](https://wordpress.org/support/topic/wp-feed-php/page/2/#post-10592372) * Status: resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics