Support » Fixing WordPress » Malware Hack Reinfecting htaccess file

  • 4 days ago 3 of my websites were infected with malware. One was picked up by Google and is now flagged for avoidance.

    I have spent hours upon hours fixing this problem, yet every time the .htaccess files are reinfected with redirects to a Russian site of some description.

    – When I cleaned the sites I changed all the passwords for FTP, site admin, and database. I deleted cookie logon function by resetting WP secret keys. I installed Bulletproof Security to protect .htaccess and my wp-config folder. This hasn’t worked, they just bypass it. The hackers also won’t let me resave the file when i delete their hack, instead making me have to download the file and then upload it clean.

    – I thought the hack had come through filezilla. So I stopped cleaning through that and instead started using Go Daddy file manager to clean the reinfected .htaccess flles. But no, reinfection within 7 hours. Go Daddy, as per usual, don’t have a clue what I should even be looking for.

    – I also installed site DB backups but that didn’t make a difference. Neither did the plugin upgrades or WP upgrades I did when the sites were clean, which they were because i scanned them at

    – I have scanned every line of php for bad code using the advice on forums like this one and blogs, etc. I can’t see anything untoward and just don’t know what to do. As far as I can see this is purely the .htaccess file that is getting attacked. I have even completely deleted the file yet they keep putting a new one in.

    – one thing i find strange is that it only attacked these 3 sites. I have 3 other WordPress sites on the same hosting that it hasn’t affected. I have a feeling it got to my root site first and worked into the others, but then I don’t know how these things work so i am probably wrong. Could there be one file in the root that is triggering all this?

    If anyone here has any clue what i should be looking for or has experienced something similar i would greatly appreciate any advice. I can’t afford to shed out $100 each for a site clean, hell, the sites are more sentimental than valuable. If someone knows exactly where are what to look for that would be awesome.

    Thank you.

Viewing 15 replies - 1 through 15 (of 16 total)
  • I’m having the same issues for all pages on my Bluehost account that have WordPress installed. I’m hoping someone will respond with a fix soon! Please help!

    None of these are helpful. I understand deleting and starting over would help, but that’s not an option at this point. This is a very specific hack that a lot of people need help fixing.

    All malware attacks seem similar in nature. I have removed malware on 4 sites in the past four weeks. In each case, finding and removing infected files ranged from easy, to a huge pain. My impression is that you cleaned out what you could, but you’re missing some infected files. A wild guess would be to check the Plugins and Uploads folder for suspicious files. If you have a plugin that you’re not using, delete it. I’d like to help you out, but it’s difficult to respond with a ‘fix’ other than share other experiences. Esmi was trying to help out by arming you with knowledge of other malware cases.

    The first 3 links are instructions on how to clean the hack from your site.
    The last link is specifically about ensuring that you have removed all infected or malicious files – even those that appear innocent.

    I have also seen this issue earlier but know after reading your help article I am very easy to remove my news website’s unconditional errors. Thank you for sharing.

    [link removed]


    This is a very specific hack that a lot of people need help fixing.

    List the specifics please. Also your domain name, if you don’t mind.

    As far as specifics, the OP lays out the problem pretty well. What I’ve found is this hack constantly re-writes the .htaccess files and the malicious code is in there. I can delete it and it will return within a few hours. I have found a website talking about this issue within the last week and some of the comments there have given some ideas, but nothing concrete. Here’s that URL –

    Timthumb Exploit causing plethora of sites to redirect to Russia

    It seems a Google search for this hack gives results of many others having the same issue as well.

    Some of the websites of mine that have been infected are:

    I have 4 others with the exact same issue. Sorry if I sounded rude earlier. Re-reading the post, it sounded a bit hateful. I appreciate the help and I just want to know what the heck to look for. I don’t have the money to shell out $100 per site for them to be fixed, but I really want this cleaned up.

    Thanks in advance for any help!

    Try the following:

    1. Download a copy of your infected sites.
    2. Nuke your web account.
    3. Recreate the web account.
    4. Install fresh copy of WP.
    5. Restore backup copy DB.
    6. Name the Database something other than ‘WP<something>’
    7. Name the table prefix something other than ‘wp_’
    8. Name the admin account something other than ‘admin’
    9. Choose a password with both numbers and letters for your accounts.
    10. Make sure version numbers from the WP core and plugins are removed from public viewing.

    Note: When restoring files to the directory, scan through all your directories that you are copying over from the previous install, for the infected file could be hiding there.

    Right out of the gate, I see this: – vulnerable version of WordPress

    Version 3.1 – vulnerable version of WordPress

    Version 3.1

    From all appearances ( at least from a surface view ) you have nothing unique going on. You have files that are being written to by someone other than you, and you need to identify how, and why. All of the links referenced above lead to excellent advice.

    – consider that you are still running versions of WordPress known to be exploitable. I guess you should ask yourself why.

    -compromised ftp credentials? check your logs
    -compromised windows client that’s harvesting ftp or wordpress -passwords? check for malware and trojans.

    -contact your host and advise them of the compromised domains.
    -you could be the victim of an exploit that came from the shared server space itself, faulty permission schemes on your WordPress files and directories, or out of date, or exploitable plugins, themes or scripts from third party sources. Links, steps, advice and general information is documented ad nauseam here in the forums.

    Thread Starter lixation


    Hi All,

    What took you all so long…:) I am all malware free now, but in the end I had to get an expert in to fix it for me.

    Believe me, I followed every article, every fix, every piece of advice. I cleaned the site about 4 times and still there was always a new issue. Once the hackers are inside they create multiple back doors to keep messing with you and redirecting your site. Once in your root they will spread the malware to all your sites; one by one my sites fell victim. After a week of this I was at risk of losing rankings and money as my work sites had become affected. I found a link on the WP forum to a blog with a useful thread. I posted on that blog and the owner contacted me. Within a few hours of requesting the clean I was back up and running. He gave me great advice for security measures and went the extra mile in helping me tidy up my root directory and site files. It’s a misconception that you need to pay per site; you will pay per hour to fix the problem on a particular hosting account, be it 1 website or 4. I had 4 sites affected and it took roughly 2.5 hours to clean, so around 150 dollars – but this is dependent on the extent of the problem.

    My advice is this: unless you are a developer who is able to spot malicious code, and malicious code that has been recoded to be barely recognizable as malicious code, don’t waste your time stressing yourself out trying to fix this stuff. All this advice people post about following these “easy fixes” is BS just to get traffic to the article. Unless you delete your infected sites the problems will still be there. I had DB backups and uploaded those clean ones, yet still the problems existed. Get a professional with the tools and knowledge to secure your sites. Likelihood is, even if you think you’ve fixed it, there will be a backdoor for the hackers to get back in. Further to that, never install a plugin unless you have thoroughly searched the web for threads on security issues with that particular plugin. Disable and delete all unused plugins, keep wordpress updated and all existing plugins to latest version. Lastly, avoid poor hosting companies who have security problems but never tell you, and then when you get hacked have no means of helping you at all.

    You can find Michael, the guy who fixed my sites, here, (leave a comment and i am sure he will be in touch shortly)

    Good luck!

    All this advice people post about following these “easy fixes” is BS just to get traffic to the article

    I find that a puzzling point of view, when you consider that the link you are recommending to others for professional and affordable guidance and assistance is one that has been recommended as a resource over 2600 times already, here in the forums (including a post in this very thread). All good information!


    Thread Starter lixation


    Okay, maybe that was harsh, but believe me, after 4 straight 10 hour days of following advice and getting nowhere you will start to think like that. Also, the majority of advice is just copied from other sources, not given out of experience, as is the nature of driving traffic to a site. Yes, the resource I cited is helpful, and indeed written by the guy I hired. Yet the most helpful thing that happened was being contacted by the author and being back up and running within a few hours after that.

    My point is this, unless you have solid developer/website technical experience you will struggle considerably to fix this particular hacking problem. Perhaps I am just inadept at following the advice, but come on, for the average joe, understanding “find this line of code in a folder named xxx in the root of your domain and then ……” is going to be difficult. Let’s just say my mum has a website and has this issue, no article, however great, will help her. Worst thing of all is, most hosting companies can’t even help their customers on this issue, so where does that leave the consumer?

    Most advice across the web consists of basic steps that will not completely clean the infection, anyway, unless of course, you have your sites completely backed up and you delete them from the server and start over. I am not trying to offend article writers, just saying, 90% of people shouldn’t waste their time. Better to pay $150 than to lose rankings and hours of work time.


    For anyone still pulling their hair out with this…

    I run about 80 wordpress sites on the same server – htaccess files getting updated every couple hours. I went through changed all passwords, wordpress version updates, plugin updates, wordpress user accounts, ftp accounts, timthumb updates, htaccess permissions etc. – I did it all and it was still happening.

    After pouring through my server logs I found that russian IP addresses were accessing “version.php” in my wordpress sites. (NOT the wp-includes/version.php – these were usually in the themes folder and in a couple cases right in the root of the website.)

    Inside that version.php file was a php script called “Web Shell by oRb” that was causing the issue to reoccur. I removed these files and the problem has finally stopped happening.

    I googled this issue and surprisingly nobody has any info on it (even sucuri) – hope this helps someone out

    This might be a stupid question but this is the first time I am dealing with a problem like this.

    How do I access my server logs to find an error like above?

    I am definitely getting the same .htaccess hack over and over.

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘Malware Hack Reinfecting htaccess file’ is closed to new replies.