threatover Patrik Grobshäuser

.HTACCESS · WORDPRESS · CLEANED

.htaccess malware removal.

A few extra lines in .htaccess can redirect every mobile visitor, run PHP from your uploads folder, or hide spam pages from you while showing them to Google. I clean it, then harden it. Flat $279.

MECHANISM

.htaccess is small, powerful, and easy to miss.

WordPress only uses .htaccess for pretty permalinks — a handful of well-known lines. Attackers append rewrite rules, error-document handlers, and PHP execution overrides that send traffic where they want it and let them run code where they shouldn’t.

There can be more than one .htaccess on your install. I list every copy on the filesystem, compare each one against the WordPress default, and either clean or remove the ones that don’t belong.

.htaccess — typical attacker append
01 
02   RewriteCond %{HTTP_USER_AGENT} mobile [NC]
03   RewriteCond %{HTTP_REFERER} google\.com [NC]
04   RewriteRule .* https://evil.example/ [R=302,L]
05 
06
07 // A 302 conditioned on mobile + Google referrer
08 // is the signature of a cloaked redirect hack.

What I remove

Every .htaccess on the install, audited.

  • TRIAGE

    Every .htaccess on the filesystem is found and read — root, wp-admin, wp-content, uploads, sometimes a few you didn’t know existed.

  • REWRITE RULES

    Malicious rewrite rules and redirect directives stripped. The standard WordPress block is restored.

  • PHP HANDLERS

    AddHandler and AddType directives that let PHP run from uploads or theme directories — removed.

  • HARDENING

    Protective rules added: deny direct access to wp-config.php, block PHP execution in uploads, restrict xmlrpc.php.

  • GOOGLE

    Reconsideration filed with Safe Browsing if the redirect triggered a warning. Search Console indexation re-requested.

  • REPORT

    Plain-English forensic write-up, entry vector identified, before/after of each .htaccess included.

Pricing

Cleanup

$279

flat, one-time, per site

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup

Monitoring

$29 / mo

per site, cancel any time

Continuous monitoring, hardening, one cleanup per year included.

Get protected

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Email [email protected] or use the contact form.