There have been an increasing number of cases where a hacker has embedded a number of malicious HTACCESS files in a site, making it impossible to log in to the administration screen. This case study will be explained in this issue.
A case of tampering with the HTACCESS file and mass embedding, which makes it impossible to log in to the administration screen.
The HTACCESS file is a server configuration file included in the top folder of WordPress, which is used to control the permalinks (URL structure) of WordPress.
Recently, there have been an increasing number of cases where the HTACCESS file has been tampered with as described below, and the file has been duplicated in many folders in WordPress, making it impossible to access the administration screen.
<FilesMatch ". (py|exe|php)$"> Order allow,deny Deny from all </FilesMatch> <FilesMatch "^(about.php|radio.php|index.php|content.php|lock360.php|admin.php|wp-login.php|wp-l0gin.php|wp-theme.php|wp-scripts .php|wp-editor.php)$"> Order allow,deny Allow from all </FilesMatch>
If you find an HTACCESS file like the above in your server folder, it is highly likely that your site has been tampered with due to a vulnerability or a loss of administrative privileges.
Reasons why you may not be able to access or log in to the administration page
The above unauthorized HTACCESS file tampering . (py|exe|php) ~ Deny from all tampering part is a setting that repels access to the .php extension.
This means that wp-login.php used for login, edit.php for editing posts in the admin panel, and plugins.php for adding and updating plugins will not be accessible.
This will prevent you from logging in and will limit much of the functionality of the admin panel.
Continuing below that
about.php|radio.php|index.php|content.php|lock360.php ~ means that the above settings will only allow access to files with this name, even if they have a php extension.
This means that files named about.php|radio.php|index.php|content.php are most likely backdoors or other malicious programs that can be accessed and used by hackers.
How do I get rid of or fix a malicious embedded HTACCESS file?
In this case, the only way to get rid of the file is via FTP software, as you will not be able to access the administration screen.
Once you have removed the tampered part of the htaccess file, disable write permission on the file to prevent it from being tampered with again, then log in to the administration screen and use a malware removal plug-in or similar.
The *HTACCESS file affects all files under that folder. The above HTACCESS file, which restricts the functionality of the administration screen, may also be embedded in the wp-admin folder, which is responsible for administration functions.
Even if I modify the HTACCESS file via FTP, it is immediately re-modified.
In this case, there is a high possibility that the site contains more malware somewhere that will revert the HTACCESS as soon as it is edited.
In many cases, that code is contained at the top of index.php. This file is executed every time the site is accessed, so every time someone accesses the site, the HTACCESS re-modification code will run.
In this case, disinfection becomes very tricky.
You can try to disinfect HTACCESS by writing the following settings in HTACCESS to block all access except for your IP address.
order deny,allow deny from all allow from your PC's IP address
Reference
Removal of index.php malware that quickly resurfaces even after WordPress is deleted.