If you get a 403Forbidden error on the bottom page of your WordPress site or on the admin page, you may be infected with malware

Suddenly your WordPress site gets a 403Forbidden error

A 403 error can mean that the server is forbidding access to the site.
While this is often caused by an error in the HTACCESS description or a permissions issue, it can also be caused by a malware infection.

*The HTACCESS file is a file that writes various server settings in the top directory of WordPress

Malware may alter and rewrite the HTACCESS file to prohibit access to the WordPress administration screen and certain pages within the administration screen, making it impossible to detect and remove the malware.

Malware may randomly install the above malicious HTACCESS files in the server, resulting in a 403 error for the entire WordPress site, including the lower-level pages and folders.

Examples of HTACCESS file tampering

As an example of a tampered HTACCESS file, the following tampering code may be embedded in the file.

<FilesMatch ".*\.(py|exe|phtml|php|PHP|~ A list of multiple extensions~.|phP8|PhP8|suspected)$">
Order Allow,Deny
Deny from all
</FilesMatch>
<FilesMatch "^(index.php|wp-login.php|~ A list of multiple file names~|wp-crom.php|wp-confiq.php)$">
Order Allow,Deny
Allow from all
</FilesMatch>

FilesMatch “.*\. (py|exe|phtml|ph ~ Deny from all
means that files with extensions such as py, exe, phtml, php, etc. should not be accessible.
This description is causing 403 errors.

FilesMatch “^(index.php|wp-login.php|wp- ~ Allow from all
This line means that the malware only allows access to files that are convenient for hackers (backdoors, etc.).

Such tampering may be of low quality code and can be generated in the server at random.

This may result in a 403 error for the entire site on the server or a blank screen, making it impossible to display the site itself.

How to deal with unauthorized tampering HTACCESS files

If such a tampered HTACCESS file has been installed on the server, it is necessary to delete the HTACCESS file itself if it is in an unnecessary place, and if the malicious code is included in a legitimately installed HTACCESS by WordPress, it is necessary to remove only the malicious code part. If the malicious code is included in the HTACCESS file, it is necessary to remove only the malicious code part.

Generally, WordPress installs only one HTACCESS file in the top directory of WordPress. However, plug-ins and themes may be installed in the upload folder or in the plug-ins’ or themes’ folders.

HTACCESS files can also be randomly placed in deeper folders by malware, making it difficult to find them all.

In such cases, we recommend that you use a malware scanning plug-in to perform a comprehensive scan.
Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

However, since HTACCESS tampering is caused by a wide variety of code patterns, it may not be possible to detect all of them even if you use the above plug-ins.

Please consider consulting a specialist if you are unable to completely remove the tampering or if there is a possibility that the tampering is still present.