How to Detect Wp-feed.php and Wp-tmp.php in WordPress and Remove Malicious Ads

What makes WordPress sites vulnerable to hacks?

Let’s briefly explain why WordPress sites, in general, are often vulnerable to hackers and their attacks. 

Broadly speaking, WordPress has long been the forerunner for CMS and blogging platforms, and its age (and therefore outdated features) can make it more vulnerable to cybercriminals.

Its wide popularity means that both novice users and experts use the platform, and not all WP site owners may remember to install security patches or up-to-date versions of security plugins. New security patches for WordPress and its plugins are released regularly, so it’s not uncommon for site owners to forget to grab their updates. Hackers frequently exploit outdated patches and plugins to access WordPress sites without any credentials.

Why do hackers use wp-feed & wp-tmp so often?

Wp-tmp.php and Wp-feed.php malware attacks are clever tools for hackers to target visitors on a WP site. More often than not, WordPress website owners are doing their best to earn an income from the ads they host on their home page. Hackers can undermine this goal, however, by hijacking a site’s normal ads and replacing them with malicious links to spam sites and adult content.

Wp-feed.php and wp-tmp.php files can also target WordPress sites with freemium plugins. Site owners typically opt to use free themes and plugins instead of paid ones. Once WordPress website owners download these “nulled” WordPress themes and plugins, hackers attain backdoor access to a site and distribute wp-tmp.php and wp-feed.php.

Before you start looking for and removing wp-feed.php and wp-tmp.php files from your site, first consider your site’s security from the ground up. Both new as well as experienced WordPress site owners can benefit from web developers that know how to secure WordPress sites; hiring a freelance developer tends to be cheaper than going through an agency, and you can expect to pay at least $60 an hour for a skilled developer.

The majority of nulled plugins focus on undermining a site’s ad content, and some even masquerade as reputable plugins available from WordPress’s official plugin repository. Take, for instance, the fake X-WP-SPAM-SHIELD-PRO plugin, which claimed to offer security but instead disabled a site owner’s legitimate plugins. Fake freemium plugins, as you well know, still affect WordPress sites by exploiting backdoor vulnerabilities.

Find and permanently remove wp-feed & wp-tmp files

Hackers make it tough for website owners to detect wp-feed.php and wp-tmp.php files. Once they store their malware in your site’s folder to display unwanted content, hackers can mask malicious ads from repeat visitors to prevent you from noticing them. As a regular visitor on your website, there’s a slim chance that you’ll notice any hacking symptoms.

What you can notice, though, are recently modified files on your site. WordPress site owners can use Linux’s find command to look for recently altered files based on timestamps. Decide how far back you want your search to go and run “$ find /etc -type f -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r” in your terminal. To check for modified directory files, type “$ find /etc -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r”. In general, you should run a legitimate security plugin that scans for malicious scripts running via your site’s backend code.

In your WordPress core directories (the main root folder, wp-admin, or wp-includes directories), you can take a look if there are any wp-feed.php or wp-tmp.php files. Once you’ve identified your modified files, you can start cleaning up suspicious code by simply removing those pesky wp-feed.php and wp-tmp.php files. You don’t even need to inspect the code for this! Then, to cross-check the code of all other PHP files, making sure it doesn’t include these malicious files anywhere else, just search using the “wp-feed.php” and “wp-tmp.php” strings. 

While you’re taking inventory of your infected files, be sure to check your site’s security status while you’re on Google’s Safe Browsing. Google provides webmasters with site safety and testing details that reveal information about hidden content.

The process of cleaning compromised database tables works similarly to the one you follow to clean your files: once you backup your tables, search through them for dubious keywords (like “wp-feed.php”) and manually delete malicious content that you find. Confirm that your site is still live after you make your backups and changes. You may need to get rid of database access tools if you uploaded them during your manual removal process.

On the whole, creating a plan for future malware and infection prevention is hands-down easier with a security plugin. These plugins can monitor your site and alert you of potential nulled software and themes present in your WordPress Core. It’s worth going the extra mile, though, and hardening your site’s security with extra measures. 

As an additional measure, users can check that their themes or plugins are from trusted sources (downloaded from official sites) and only modified by trusted web developers.

A popular security hardening technique is to simply change the file permissions of your WordPress folder and hide your data from prying eyes. Other options include using a web application firewall that can search for and block any malicious traffic aimed at your site.