How can I tell my .htaccess is hacked?

A clean WordPress .htaccess is short — about ten lines of rewrite rules for permalinks. If yours has redirect directives, PHP handler overrides, conditional rules for Googlebot, or files in directories that shouldn’t have a .htaccess at all, something’s wrong.

Won’t WordPress regenerate .htaccess on its own?

Only the standard permalink block. Anything an attacker appended outside that block is preserved unless explicitly removed.

What if I don’t have shell access?

I can work over SFTP and the WordPress admin if needed. Shell access makes things faster, but it’s not a requirement.

How did the attacker reach .htaccess?

Either through a vulnerable plugin that wrote to it, or via stolen FTP/SFTP credentials. The report identifies which.

// .HTACCESS · WORDPRESS · CLEANED

.htaccess malware removal.

A few extra lines in .htaccess can redirect every mobile visitor, run PHP from your uploads folder, or hide spam pages from you while showing them to Google. I clean it, then harden it. Flat $279.

Start a cleanup → What attackers do with .htaccess

§ 01 — MECHANISM

.htaccess is small, powerful, and easy to miss.

WordPress only uses .htaccess for pretty permalinks — a handful of well-known lines. Attackers append rewrite rules, error-document handlers, and PHP execution overrides that send traffic where they want it and let them run code where they shouldn’t.

There can be more than one .htaccess on your install. I list every copy on the filesystem, compare each one against the WordPress default, and either clean or remove the ones that don’t belong.

// .htaccess — typical attacker append

01 
02   RewriteCond %{HTTP_USER_AGENT} mobile [NC]
03   RewriteCond %{HTTP_REFERER} google\.com [NC]
04   RewriteRule .* https://evil.example/ [R=302,L]
05 
06
07 // A 302 conditioned on mobile + Google referrer
08 // is the signature of a cloaked redirect hack.

§ 02 — WHAT WE REMOVE

Every .htaccess on the install, audited.

[ TRIAGE ]

Every .htaccess on the filesystem is found and read — root, wp-admin, wp-content, uploads, sometimes a few you didn’t know existed.
[ REWRITE RULES ]

Malicious rewrite rules and redirect directives stripped. The standard WordPress block is restored.
[ PHP HANDLERS ]

AddHandler and AddType directives that let PHP run from uploads or theme directories — removed.
[ HARDENING ]

Protective rules added: deny direct access to wp-config.php, block PHP execution in uploads, restrict xmlrpc.php.
[ GOOGLE ]

Reconsideration filed with Safe Browsing if the redirect triggered a warning. Search Console indexation re-requested.
[ REPORT ]

Plain-English forensic write-up, entry vector identified, before/after of each .htaccess included.

§ PRICE

Flat $279. One-time. Per site.

[ RESCUE ]

$279

FLAT · ONE-TIME · PER SITE

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup →

[ SHIELD ]

$29 / mo

PER SITE · CANCEL ANY TIME

Continuous monitoring, hardening, one cleanup per year included.

Get protected →

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Start an engagement.

Send the scope, stack, and timeline. You get a written proposal with a fixed quote.

Contact →