If this is happening on a regular basis, your security plugins appear to be failing.
Below are several steps you can take to prevent this:
- Start by using a really good security plugin like Wordfence Security. I haven’t had a successful hacking incident since I started using this.
If that fails, or you just want an EXTRA STRONG lock-down, you can also try the following. I have done the Microsoft equivalent on our intranet site to avoid accidental file modifications/deletions by my less informed hardware admins. This lock-down requires you to manually unlock everything every time you perform a plugin or theme install/update/deletion, or ANYTHING. (read: Last Resort).
- Use chmod (or your file manager) to remove write privileges from key files like .htaccess and most PHP files in your WordPress root.
- Use the methods detailed in this answer to protect against unintentional host updates and root access.
For further reading (if you’re having trouble sleeping, avoid this, it can cause nightmares), Kinsta has an outstanding article on WordPress vulnerabilities and how to avoid them.