htaccess file corrupted

Below is the state of my current .htaccess corrupted file, i am able to see the full website, i am able to login to the admin dashboard, but that is all i am limited to.
As soon as i click on the tabs on my dashboard e.g Plugins i get a 403 forbidden error message

I’m having the same issue with my client website. I can’t even access wp-admin. The virus modified my .htaccess file and make a duplicate of it in almost every folder. I get 403 forbidden error every time I try to login to WordPress.

If you found the solution to your problem then kindly share it as a reply. Thanks

Please help me… Same problem!!!

I just fixed mine by pasting the standard wordpress HTACCESS code:

# BEGIN WordPress
# The directives (lines) between BEGIN WordPress and END WordPress are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Hi,

we have got the same problem here.

We deleted everything, installed WP-Core and Plugins new, changed all passwords and one day later the suspicious .htaccess was written in every folder. In the Doc-Root we found a modified index.php and about.php with malicious code in it.

We contacted the hosting provider. But this hack is very strange.

All the best

I resolved the issue. it took a lot of time but it get resolved.

Scenario 1
First thing is to restore backup through cpanel if you haven’t made any changes to web because by restoring backups you can get it fixed and you don’t have to get involved in complexities. If that’s not the case you can follow these steps

Scenario 2 (Recommended)
Replace all of your .htaccess files with genuine files. Delete .htaccess files in folders like plugins, themes etc and replace .htaccess from fresh wordpress installation.

Scenario 3

<FilesMatch ".(phtml|php|PhP|php5|suspected)$">
Order Allow,Deny
Deny from all
</FilesMatch>

If your .htaccess file look like this then change it to allow from all to get access to wp-admin

Scenario 4
If your .htaccess file keep changing even if you fix it

1: Make a backup of your root Directory
2: Make a backup of your database
3: Install All in one wp migration plugin (it’s free)
4: Take a backup through that plugin.
5: Install a fresh wordpress in to local machine (Xampp, Wampp, Usbwebserver etc)
6: Install wp-migration plugin in it.
7: Restore backup in localmachine (Using wp-migration will change all of your .htaccess files so issues related to access will get solved. It will also change wp-core files like wp-admin and wp-includes)
8:Test your website by using plugins like scuri, wp cerber and malcare and try to manually delete files through cpanel.
9:Delete all nulled plugins and themes if there are any
10: Try to find and fix loop-holes so no one can access it again
11: Enable live traffic monitoring to catch users
12: disable access to wp-login.php
13: change login URL
14: Stopped user enumeration
15: Protect admin scripts
16: Disable PHP in uploads
17: Disable PHP error displaying
18: Block Access To WordPress REST API
19: Block Non Excising Users
20: Disable dashboard redirection
21: take a new backup with wp-migration or duplicator pro
22: Restore it back at server and harden the server so no one can penetrate it.

I hope it helps someone.

Hi,

I saw this problem too.

There is also an infected file index.php that keeps being re-infected no matter I rename, delete file/parent folders.

I ended up restoring a full server backup.

This needs deep investigation. What exploit is being used, etc…

Please ask WP gurus.

not that it helps after but I long ago had an issue and had to restore.

I got a bad login try notice from wordfence recently.

Top 10 Failed Logins = wordcamp

added to my .htaccess

<Files wp-login.php>
Order Deny,Allow
Deny from All

Allow From (ip ranges I use)

</Files>
<Files wp-admin$>
Order Deny,Allow
Deny from All

Allow From (ip ranges I use)

</Files>
<FilesMatch “^php5?\.(ini|cgi)$”>
Order Deny,Allow
Deny from All

allow from (ip ranges I use)
ending this with
Allow from env=REDIRECT_STATUS=200

finally I added in the file

<Files xmlrpc.php>
Order Deny,Allow
Deny from all

added a specific IP

to complement this in I believe wordfence, I added username that does not exist being used, locks the IP for a set period.

If I messed up I can go into cpanel and fix the lockout or wait the period or deactivate wordfence and unlock and activate again.

automated attacks once they are IP banned tend to move on down the line.

I was also getting attacked at one point from a small country, so i blacklisted the entire country and monitored traffic.

The hardest thing, especially with posting/comment areas is sanitizing your database.

if something happens with a bad update I can roll back with backups.

I have wordfence and other security plugins on automatic update, as I want them instantly applied. As long as you have a backup or a host side backup to restore from, then it is better to apply with the ability to roll back then be exploited.

There is also an infected file index.php that keeps being re-infected no matter I rename, delete file/parent folders.

I had this issue as there was a script running that reached out once the file was changed or removed. I watched traffic and when I cleaned it, where traffic was coming from as the file reverted.

I can’t remember if it was when someone viewed the site it called the script to check for the corruption and if it was cleaned, re-download the bad file.

Once I removed the connectivity to that country ip range, I had time to learn and harden my wp installation.

I have the same problem, I modify htaccess and it changes back automatically keeping the corrupt file (something is changing it), I delete all the non-wordpress directories and restore my backup but it still doesn’t work, did anyone fix it?

I had the same issue. my google page was showing japanese.
What I did: This malware it is saved in the directory by default public_html. I’ve noticed that it leaves subdomains alone. when i tried delete index.php and .htaccess it was renewing that files with malicious code. at my ftp i created diffirent folder and on my admin page i changet deafult folder from public_html to the name of the folder i’ve jus created. I restore the backup page to the new folder. After that i deleted public_html and changed admin pass.
For now it’s working fine

• This reply was modified 3 years, 4 months ago by sn0wslight.

Hi,

I’m having the same issue and though I have isolated the web site from the backdoor, I still can’t reach WP Admin as I get 403 errors.

The Apache log shows :

AH01797: client denied by server configuration: XXXXX/wp-admin/load-scripts.php

Any idea ?

Hi,

FYI, a corrupted .htaccess file was present in a parent directory.

Removing it fixed the issue.

Cheers.

Hi all,
I had the same issue and I have solved by rewriting the .htcaccess from root with the default values , removed .htcaccess file from wp-admin.
Don’t reload any admin page yet !!!
Remove about.php file from root and WP-Admin, this page infected!
Open index.php from root and index.php from wp-admin and remove the code injected, you will see it very easy which is wrong code.

Cheers!

I received the new year 2022 with this issue and to solve it:

1. I zipped the folder of the website and download it.
2. Extracted it
3. Search all .htaccess files and then deleted.
4. Compress the folder again and upload to my site.
5. Unzip the files and the site is ok now.

NOTE: Try delete .htaccess one by one is imposible… when i searched were more than two thousand of copies.

In the root of my account there other suspicious files so you have to check your own to be sure all malicious files are removed.