A common .htaccess hack

We see this problem a fair bit, both on new hack repair client’s sites and being discussed on places like Facebook. So I figured I’d give a quick tutorial on how to identify and fix the problem.

The Symptom

When you look up your site on a search engine, you find your web address associated with a list of sites which are definitely not yours.

The Exploit

This is often caused by a hacker getting into your site and making changes to a special hidden file in the root level of your site named .htaccess

The .htaccess file can be used for a lot of things – blocking specific IP addresses or series of IP addresses, preventing directory listings, preventing hotlinking… and of course, redirecting traffic.

The hacker script inserts a few lines which redirect all traffic from the big search engines to other sites.

Immediate Solution

Log in to your web host’s cPanel or similar, and go to File Manager. (These steps can also be done via FTP if you have an account). Go to the root level of your WordPress installation. You should see your .htaccess file – if not, make sure that you have the ability to see hidden files (you may have to chat with your web host).

Open the .htaccess file and look for three lines similar to these:

RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ antiquate-cashers.php?$1 [L]


The first two lines basically say “If anyone comes to your site from any of these major search engines….”
and the third line says “Go to this page”.  The file name in that third line is automatically generated by the hack script, and like the one above typically has a nonsense name.

When you go look at that page, it’s going to be 100% hacker code.

Delete those three lines from your .htaccess file, or put a # at the beginning of each line, which indicates that it’s a comment, not to be acted upon. Save .htaccess.

Check the creation date on that nonsense-named file. Chances are that there are a bunch of files strewn about your site structure which were created on the same date and contain similar looking hacker code. Delete them all. Consider uploading fresh, clean copies of WordPress, all your plugins, and your themes, as it’ll ensure that you didn’t miss any in those parts of your site. That will take care of most of the offending files, but you’ll also have to look around in other parts of your wp-content folder such as Uploads.

If you don’t get them all AND remove the security hole they got through in order to hack you in the first place, then the problem will just come back later.

Long term solution

The long term solution of course is to sign up here and we’ll do our best to keep your site from getting hacked in the first place! We’re also available to do hack repairs on your site if you’re in need. Contact us any time.