Those .htaccess directives are for the host to handle php versions; they are not the hack.
Carefully follow FAQ My site was hacked – WordPress Codex.
Then take a look at the recommended security measures in Hardening WordPress – WordPress Codex and Brute Force Attacks – WordPress Codex
If you can’t do the work yourself, consider looking for a reputable person on http://jobs.wordpress.net/ or http://directory.codepoet.com or http://upwork.com
(FYI, it’s not a good idea to respond to work offers from random forum users who have read about your issues.)
Thread Starter
mpflwi
(@mpflwi)
Thank you Mark! I will carefully follow your suggestions. Should I delete my post for safety? Did I reveal anything important?
It’s your choice to delete your post. The host php version directives show 5.4, which is outdated; ask your host how to update php.
Thread Starter
mpflwi
(@mpflwi)
# BEGIN SYSTEM API
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{HTTP_USER_AGENT} !myclearcode$ [NC]
RewriteRule ^onyy/(.*)$ wp-conten.php?$1 [L]
Interesting, found the htaccess file in my server and now it reads something different. Is anything here something I can delete or the cause of the hack?
# END SYSTEM API
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
If your site redirects to a spam site, you were hacked. Follow the instructive links I posted. Simply cleaning an .htaccess file will not stop the hack. In your .htaccess file, the code block between the # SYSTEM API tags is suspect. The other block # WORDPRESS is standard WordPress.
Thread Starter
mpflwi
(@mpflwi)
Mark, I followed the instructions you sent. Scanned my computer, changed the passwords, scanned the website, checked for Blacklist, and got down to the section that said “good article to read if you suspect a hack”. That’s where I learned about the .htaccess information from your first email. It’s Greek to me but I see words like ReWriteCond on their list of problems to fix.
What Mark means is that if you only clean up the symptom, you’ll miss closing or removing the vector they used in the first place, and it will simply happen again.
Take a look through https://codex.wordpress.org/FAQ_My_site_was_hacked as it walks through identifying and/or removing all known attack vectors and symptoms.
If you’re not able to do everything in the guide, I have to recommend hiring someone to do it for you via http://jobs.wordpress.net or go straight to a firm who specializes in such things, like https://www.sucuri.net or https://vaultpress.com
Do not accept any hire or direct access offers posted to these forums.
