WordPress site hacked. Has .htaccess been hacked?

by

About Hacked sites:

First of all, let’s be clear about issues related to hacking:

If your site was genuinely hacked, then in short of completely erasing all the files and then reinstalling the server (not just WordPress) with new passwords, updating all files and identifying and removing previous loop holes that caused the site to be hacked in the first place, nothing else will confirm that the site will not be hacked again using the same loop holes.

About the .htaccess modification:

To me, your .htaccess modification doesn’t look like the result of hacking, instead it looks like a piece of WordPress CODE (either from a Plugin, or theme) that is rewriting the .htaccess file because of URL rewrites.

Check out this sample from your .htaccess CODE:

RewriteRule ^([^\d\/]+)-([0-9]+)-([0-9]+)-.*..*$ ?$1$3=$2&%{QUERY_STRING}[L]

This line is basically transforming a URL that looks like this (for example):

example.com/something-12-34-something-else.html?query=string

to adds query string (internally to the main index.php) that looks like this:

?something34=12&query=string

So, basically I don’t see how a hacker will gain anything from this. It’s still possible, but unlikely.

To test it is indeed being rewritten by WordPress this way, you may do the following test:

  1. Go to wp-admin -> Settings -> Permalinks & click Save Changes button.

  2. Rewrite .htaccess with the default WordPress .htaccess CODE.

  3. Now, go to wp-admin -> Settings -> Permalinks again and click Save Changes button.

If your .htaccess file is writable by WordPress (web server) and if that .htaccess CODE was being generated by WordPress, then after the above process, your default WordPress .htaccess will be changed immediately to the one you’ve posted.

What to do next?

If you’ve successfully identified the changes to be made by WordPress, then you may detect which plugin or theme is doing it, by again following the above procedure after disabling each installed plugin one at a time.

Once the responsible plugin is disabled, the above procedure will not produce that change in the .htaccess file anymore. Then you’ll know which plugin is doing it, and perhaps will have a better understanding of why it’s doing it. e.g. whether it is a feature or the result of malicious activity.

If no plugin is found to be doing it, then you may do the same with the theme by activating a WordPress core theme (e.g. Twenty Seventeen).

If none of the above works, then I guess your next option is to hire an expert and allow him to examine your site.

Leave a Comment