How to Detect Wp-feed.php and Wp-tmp.php in WordPress and Remove Malicious Ads

As a WordPress website owner, the last thing you need is malicious content on your home page. Yet spam ads regularly plague WordPress sites with attacks that exploit its vulnerabilities, allowing harmful wp-feed.php and wp-tmp.php files past.

Wp-tmp.php and wp-feed.php malware can be difficult to detect no matter how vigilant you are. That’s because these malicious files often disguise themselves as freemium, downloadable plugins or themes that exploit your site’s WordPress vulnerabilities. And the worst part? Actually getting rid of wp-feed.php malware.

Don’t ignore dubious “your site has been hacked” warnings even if your site seems fine at a glance. It’s important to know how to both detect wp-feed.php and wp-tmp.php files on your site and how to get rid of them for good. Read on to understand what wp-feed.php and wp-tmp.php files are and how you can permanently remove them from your WP site.

What makes WordPress sites vulnerable to hacks?

Let’s briefly explain why WordPress sites, in general, are often vulnerable to hackers and their attacks. 

Broadly speaking, WordPress has long been the forerunner for CMS and blogging platforms, and its age (and therefore outdated features) can make it more vulnerable to cybercriminals.

Its wide popularity means that both novice users and experts use the platform, and not all WP site owners may remember to install security patches or up-to-date versions of security plugins. New security patches for WordPress and its plugins are released regularly, so it’s not uncommon for site owners to forget to grab their updates. Hackers frequently exploit outdated patches and plugins to access WordPress sites without any credentials.


Why do hackers use wp-feed & wp-tmp so often?

Wp-tmp.php and Wp-feed.php malware attacks are clever tools for hackers to target visitors on a WP site. More often than not, WordPress website owners are doing their best to earn an income from the ads they host on their home page. Hackers can undermine this goal, however, by hijacking a site’s normal ads and replacing them with malicious links to spam sites and adult content.

Wp-feed.php and wp-tmp.php files can also target WordPress sites with freemium plugins. Site owners typically opt to use free themes and plugins instead of paid ones. Once WordPress website owners download these “nulled” WordPress themes and plugins, hackers attain backdoor access to a site and distribute wp-tmp.php and wp-feed.php.

Before you start looking for and removing wp-feed.php and wp-tmp.php files from your site, first consider your site’s security from the ground up. Both new as well as experienced WordPress site owners can benefit from web developers that know how to secure WordPress sites; hiring a freelance developer tends to be cheaper than going through an agency, and you can expect to pay at least $60 an hour for a skilled developer.

The majority of nulled plugins focus on undermining a site’s ad content, and some even masquerade as reputable plugins available from WordPress’s official plugin repository. Take, for instance, the fake X-WP-SPAM-SHIELD-PRO plugin, which claimed to offer security but instead disabled a site owner’s legitimate plugins. Fake freemium plugins, as you well know, still affect WordPress sites by exploiting backdoor vulnerabilities.

Find and permanently remove wp-feed & wp-tmp files

Hackers make it tough for website owners to detect wp-feed.php and wp-tmp.php files. Once they store their malware in your site’s folder to display unwanted content, hackers can mask malicious ads from repeat visitors to prevent you from noticing them. As a regular visitor on your website, there’s a slim chance that you’ll notice any hacking symptoms.

What you can notice, though, are recently modified files on your site. WordPress site owners can use Linux’s find command to look for recently altered files based on timestamps. Decide how far back you want your search to go and run “$ find /etc -type f -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r” in your terminal. To check for modified directory files, type “$ find /etc -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r”. In general, you should run a legitimate security plugin that scans for malicious scripts running via your site’s backend code.

In your WordPress core directories (the main root folder, wp-admin, or wp-includes directories), you can take a look if there are any wp-feed.php or wp-tmp.php files. Once you’ve identified your modified files, you can start cleaning up suspicious code by simply removing those pesky wp-feed.php and wp-tmp.php files. You don’t even need to inspect the code for this! Then, to cross-check the code of all other PHP files, making sure it doesn’t include these malicious files anywhere else, just search using the “wp-feed.php” and “wp-tmp.php” strings. 

While you’re taking inventory of your infected files, be sure to check your site’s security status while you’re on Google’s Safe Browsing. Google provides webmasters with site safety and testing details that reveal information about hidden content.

The process of cleaning compromised database tables works similarly to the one you follow to clean your files: once you backup your tables, search through them for dubious keywords (like “wp-feed.php”) and manually delete malicious content that you find. Confirm that your site is still live after you make your backups and changes. You may need to get rid of database access tools if you uploaded them during your manual removal process.

On the whole, creating a plan for future malware and infection prevention is hands-down easier with a security plugin. These plugins can monitor your site and alert you of potential nulled software and themes present in your WordPress Core. It’s worth going the extra mile, though, and hardening your site’s security with extra measures. 

As an additional measure, users can check that their themes or plugins are from trusted sources (downloaded from official sites) and only modified by trusted web developers.

A popular security hardening technique is to simply change the file permissions of your WordPress folder and hide your data from prying eyes. Other options include using a web application firewall that can search for and block any malicious traffic aimed at your site.


It’s impossible to guard against every attack on your site, but there are plenty of things you can do to protect yourself and your data. Stay away from nulled and freemium plugins that can compromise your site’s integrity once you download them. If you know your folders and database tables have been infected, it’s time to use manual removal techniques and backups to mitigate potential security risks.

Wp-tmp.php and wp-feed.php malware can easily be masked alongside legitimate files in your WordPress folders and remain hidden from you. Detect and eliminate malware with a legitimate security plugin that can monitor for and quarantine potentially harmful content.

No comment yet, add your voice below!

Add a Comment

Your email address will not be published. Required fields are marked *


  • Yes, please, I agree to receiving my personal Plesk Newsletter! WebPros International GmbH and other WebPros group companies may store and process the data I provide for the purpose of delivering the newsletter according to the WebPros Privacy Policy. In order to tailor its offerings to me, Plesk may further use additional information like usage and behavior data (Profiling). I can unsubscribe from the newsletter at any time by sending an email to [email protected] or use the unsubscribe link in any of the newsletters.

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden

Related Posts

Knowledge Base

Plesk uses LiveChat system (3rd party).

By proceeding below, I hereby agree to use LiveChat as an external third party technology. This may involve a transfer of my personal data (e.g. IP Address) to third parties in- or outside of Europe. For more information, please see our Privacy Policy.