We would like to introduce a case of WordPress tampering in which the HTACCESS and Index.php files were instantly tampered with again, even after the malware was removed.

Tampering that resurfaces even after deleting and deleting

This malware is a backdoor that is planted in other websites on the server. Each time the site is accessed, the malware examines the file to be defaced, and as soon as the defacement is removed, it defaces the file again.

In this case, the HTACCESS and Index.php files were in a troublesome state where tampering was written again almost within seconds after the tampering was removed.

How to remove the tampering?

To fundamentally remove the tampering, we need to remove the backdoor that is causing the re-tampering described above, and then remove the tampering from the HTACCESS and Index.php files of the site in question.

However, if the backdoor cannot be found, or if the server itself has been hacked, the backdoor PHP program may not exist.

As a stopgap measure, you can use the following program to restore HTACCESS and Index.php to the same code as the legitimate files, and then make the permissions un-writable so that they cannot be tampered with again.

<?php

file_put_contents("index.php", "<?php define( 'WP_USE_THEMES', true );require __DIR__ . '/wp-blog-header.php';");
chmod("index.php", 0444);

file_put_contents(".htaccess", "
# BEGIN WordPress
# The directives (lines) from BEGIN WordPress to END WordPress are
# dynamically generated and can only be modified by WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L].
</IfModule>

# END WordPress
");

chmod(".htaccess", 0444);
?>

If the above code is saved with the php extension and installed on the server and accessed, the WordPress HTACCESS and Index.php files in the same folder will be reverted to the regular code and set to non-writable permissions. If both files are already set to non-writable permissions, please try to make both files writable in advance.

Update April 13, 2023
A program and method to recover index.php and HTACCESS more reliably is now available here.

WordPress backdoors can be detected and removed with the WordPress Doctor Malware Check plugin.

Related Posts:

  1. 5 security measures that can be taken in WordPress just by writing HTACCESS
    Here are some security measures that can be taken simply by including the settings in HTACCESS....
  2. What to do if you can no longer rewrite or delete HTACCESS due to wordpress tampering
    Here is what to do when you can no longer rewrite or delete HTACCESS due to WordPress malware infection (tampering)....
  3. What to do for your site users when WordPress is hacked, tampered with, or hijacked.
    This page explains how to respond to users (those who use the site) when there is a possibility of damage to users who visit the site, such as being redirected to another site, being sent to a sweepstakes site, or downloading malicious files due to WordPress tampering. This page explains how to respond to users (those who use the site)...
  4. WordPress HTACCESS has been tampered with and access to the admin panel is no longer possible
    Recently, a type of malware has become popular in which a WordPress site is tampered with, and although the site can be displayed without problems, the administrator screen cannot be accessed. We will explain how to deal with this case....
  5. Repair HTACCESS and Index.php, which is instantly tampered with again in WordPress.
    Due to many requests, we are releasing a program to repair HTACCESS and Index.php, which is instantly tampered with again in WordPress....
  6. How to prevent spam comment posting by robots from HTACCESS files
    Comment spam (invalid string parties or links written in comments) is a very annoying problem if you have the comment function enabled in WordPress. In this article, we will explain how to prevent spam written via robots (which automatically write comments) from HTACCESS files....