Recently, a type of malware has become popular in which a WordPress site is tampered with, and although the site can be displayed without problems, the administrator screen cannot be accessed.
We will explain how to deal with this case.
Large amount of tampered HTACCESS installed on WordPress site
When infected with this type of malware (tampering), the following HTACCESS files are placed in numerous folders
<FilesMatch ". (py|exe|php)$"> Order allow,deny Deny from all </FilesMatch> <FilesMatch "^(about.php|radio.php|index.php|content.php|lock360.php|admin.php|wp-login.php)$"> Order allow,deny Allow from all </FilesMatch>
This HTACCESS file denies access to files with the PHP extension. This will render many functions of the administration page unusable.
For example, all pages with URLs ending in .php, such as the plugin list, edit posts, create new posts, etc., will be inaccessible.
Also, in the about.php|radio.php|index.php|content.php|lock360.php section, only PHP files with this name will be accessible.
This file is the body of the malware or the file containing the malware, and many of these files contain backdoors that allow the malware to be restored or further tampered with if the malware is removed.
How do I get rid of malware?
Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].
You can detect and remove maliciously modified HTACCESS files at
HTACCESS files in the folder where wp-config.php is located or the folder above it will have only the tampered parts removed, while HTACCESS files in other folders are likely to have been installed illegally, so if they are detected by the malware detection plugin will be deleted.
What if I cannot access the administration page?
If you are unable to access the administration screen, you may be able to access the site and the administration screen by adding the following to the HTACCESS file in the folder where wp-config.php is located or the folder above it You can also access the administration panel.
order deny,allow
deny from all
allow from your IP address
You can find your IP address here.
Please note that the above will block all access to the site except your IP address, so all users except your PC will not be able to access the site.
After you have provided us with the above information, we will manually remove any malware from the index.php file in the top directory of WordPress, access the administration screen, and after removing the malware, revert the HTACCESS file to one that contains the necessary settings for WordPress again.