I’m trying to clean up a WordPress website that’s been hacked. I noticed that the .htaccess
file has some suspect looking regular expressions, but my regex skills are pretty weak (time to learn I guess). I’ve tried replacing the .htaccess
file with the default WordPress .htaccess
, but it gets rewritten immediately and automatically. What I need to know is what’s going on with this code:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^([^d/]+)-([0-9]+)-([0-9]+)-.*..*$ ?$1$3=$2&%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)/([^d/]+)([0-9]+)=[0-9]+$ ?$2$1=$3&%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)/([^d/]+)([0-9]+)..*&_.*_.*=(.*)Q(.*)J[0-9]+.*TXF[0-9]+.*FLK.*$ ?$2$1=$3&%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)/([^d/]+)([0-9]+)..*$ ?$2$1=$3&%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)/([^d/]+)([0-9]+)(.*)%[0-9]+F%[0-9]+F.*..*..*%[0-9]+F.*%[0-9]+F&$ ?$2$1=$3&%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)/([^d/]+)([0-9]+)(.*)%[0-9]+F%[0-9]+F.*..*..*%[0-9]+F.*%[0-9]+F$ ?$2$1=$3&%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)/([^d/]+)([0-9]+)(.*)%[0-9]+F%[0-9]+F.*..*..*%[0-9]+F&$ ?$2$1=$3&%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)/([^d/]+)([0-9]+)$ ?$2$1=$3&%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)/([^d/]+)([0-9]+).*[0-9]+..*$ ?$2$1=$3&%{QUERY_STRING}[L]
RewriteRule ^([^d/]+)-([0-9]+)-([0-9]+)..*$ ?$1$3=$2&%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)/([^d/]+)([0-9]+)(.*)%[0-9]+F%[0-9]+F.*..*..*%[0-9]+F&#[0-9]+;.*=.*$ ?$2$1=$3&%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)/([^d/]+)([0-9]+)(.*)%[0-9]+F%[0-9]+F.*..*..*%[0-9]+F$ ?$2$1=$3&%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)-([^d/]+)_.*_([0-9]+)$ ?$2$1=$3&%{QUERY_STRING}[L]
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
If the .htaccess
has been compromised, do you have any suggestions for securing it?
I did a fresh WordPress install, updated/reinstalled all plugins, reset passwords, installed captchas for logins, moved the WordPress install to a different directory, etc. Website seemed to be fine for a few days, but was hacked again. So frustrating!