wordpressuser_21

Ok. I think that I fixed the problem. During my quest to find a solution I read about a suggestion to check the access logs from the host because the htaccess hack will affect every domain and folder on the host and not just the wp domain.

When I looked at my access log, I found the offending IP address and the PHP files that were changing the files were actually located outside my WP site. I replaced the hacked htaccess with my clean htaccess and denied the offending ip address in the htaccess file. Then I read that you need to have permissions set to 604 to prevent the htaccess from getting replaced again. So far, it is working and I haven’t had any more problems.

You also have to go through all of the folders on your site to get rid of those extra htaccess files that the hack writes. I noticed that the php files that cause the havoc were usually in the image directories.It adds an iframe to the end of most js files. So once you remove the hacker’s php files, replace and secure the htaccess and check for additional htaccess files in different directories then you need to go through every JS file and remove the iframe that is appended to the bottom.

Hi Krishna, already did that too. The only thing that I haven’t done yet is to do a fresh install in a different directory. However, I would like to find the solution to the problem first so that it can be prevented.

I deleted my htaccess file to see what would happen. Within just a few minutes the hacker’s htaccess file appears. So there is something somewhere that is watching the htaccess file.

No. Uploads folder is clean.