This section describes how to deal with a 500 Internal Server Error on the “Edit Post” screen or “Add Plugin” screen of the administration screen due to htaccess being edited without permission in WordPress.
Tampering with htaccess
If you are unable to log in to the WordPress admin screen, or if the post edit screen or add plugin screen gives you a 500Internal Server Error (or blank, or even a 403 error), HTACCESS has been tampered with and access to files with the .php extension Access to files with a .php extension may be blocked.
Example of a tampered HTACCESS
<FilesMatch ".*\.(py|exe|phtml|php|PHP|Php|PHp|pHp|pHP|phP|PhP|php5|PHP5|Php5|PHp5|pHp5|pHP5|phP5|PhP5|php7|PHP7|Php7|PHp7|pHp7|pHP7|phP7|PhP7|php8|PHP8|Php8|PHp8|pHp8|pHP8|phP8|PhP8|suspected)$"> Order Allow,Deny Deny from all </FilesMatch>
This description of the configuration due to tampering prohibits access to files with any PHP-related extensions.
If the HTACCESS file in the top directory of WordPress has the above description, it is highly likely that the site has been hacked and tampered with.
How to deal with HTACCESS tampering
The above description of blocking access to the PHP extension has been added by hackers to prevent WordPress operators from removing malware using malware scanning plug-ins, etc., so there is no problem if you delete it.
Access the WordPress server with FTP software, download the HTACCESS file in the top directory, remove the tampering, and upload it back to the original server.
Once you are able to access the administration screen, install the malware scanning disinfection plugin and perform other malware scanning disinfection.
If the tampering reverts immediately or cannot be uploaded
If HTACCESS tampering reverts back to its original state immediately, or if the file cannot be overwritten by uploading even after rewriting file permissions, there may be malware resident in the server process (memory) to re-tamper with the file.
In this case, you will need to stop the process with a special program.
Reference
Repair HTACCESS and Index.php, which are instantly tampered with again in WordPress.
However, if you have been infected with memory-resident malware, there is often a combination of malware disinfection measures on the part of various hackers.
Malware that automatically executes the program itself residing in memory is infecting index.php.
There is another tampered HTACCESS in the upper hierarchy.
The write permission of the folder on the upper hierarchy is also being made continuously un-writable by other processes.
Resident in a process of another domain on the same server.
etc.
In these cases, the aforementioned programs may not be able to compete. We recommend that you contact a WordPress malware removal specialist.
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
