The wp-vcd malware is a piece of PHP code that adds hidden admin users and injects malicious URLs in your websites content. More than 20,000 WordPress websites run premium themes infected with the malware. There are two ways to clean your website of a malware infection: (1) By using a WordPress malware cleaner and security plugin and (2) Manually. But, usually, manual removal of malware is not recommended as it is very tricky. The first step before any malware removal is to take backups of all the files in your. website.”]
Source: https://gbhackers.com/how-to-prevent-wp-vcd-malware-attacks-on-your-website/