We would like to introduce a case of WordPress tampering in which the HTACCESS and Index.php files were instantly tampered with again, even after the malware was removed.

Tampering that resurfaces even after deleting and deleting

This malware is a backdoor that is planted in other websites on the server. Each time the site is accessed, the malware examines the file to be defaced, and as soon as the defacement is removed, it defaces the file again.

In this case, the HTACCESS and Index.php files were in a troublesome state where tampering was written again almost within seconds after the tampering was removed.

How to remove the tampering?

To fundamentally remove the tampering, we need to remove the backdoor that is causing the re-tampering described above, and then remove the tampering from the HTACCESS and Index.php files of the site in question.

However, if the backdoor cannot be found, or if the server itself has been hacked, the backdoor PHP program may not exist.

As a stopgap measure, you can use the following program to restore HTACCESS and Index.php to the same code as the legitimate files, and then make the permissions un-writable so that they cannot be tampered with again.

<?php

file_put_contents("index.php", "<?php define( 'WP_USE_THEMES', true );require __DIR__ . '/wp-blog-header.php';");
chmod("index.php", 0444);

file_put_contents(".htaccess", "
# BEGIN WordPress
# The directives (lines) from BEGIN WordPress to END WordPress are
# dynamically generated and can only be modified by WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L].
</IfModule>

# END WordPress
");

chmod(".htaccess", 0444);
?>

If the above code is saved with the php extension and installed on the server and accessed, the WordPress HTACCESS and Index.php files in the same folder will be reverted to the regular code and set to non-writable permissions. If both files are already set to non-writable permissions, please try to make both files writable in advance.

Update April 13, 2023
A program and method to recover index.php and HTACCESS more reliably is now available here.

WordPress backdoors can be detected and removed with the WordPress Doctor Malware Check plugin.