Hacked Malware Index.php and .htaccess regenerating

Hopefully my findings will help other users.

A number of my sites were recently hacked.

I noticed that index.php filesize was much larger than the source wordpress file and when deleted / replaced it would regenerate / replace itself within seconds (as well at .htaccess).

Take a backup.

To stop the malware regenerating I put an .htaccess file (with the line below) in key folders, deleting the malware infected .htaccess

<Files *.php>deny from all</Files>

The malware had placed files such as radio.php, about.php, wp-confiig.php and infected index.php all over the site.

Delete these files where you find them noting that index.php in WordPress is about 405k – the malware loaded one was 1400k.

Install Wordfence or GOTML cleaners.

Clean and delete all infected files.

Delete all wordpress directores (wp-admin, wp-includes and wp files in the root) and do a clean install of WP core files.

Get your host to run a full malware scan.

Clean again.

Once clean backup and set a daily backup.

Keep scanning and keep an eye on Wordfence alerts.

Also if you use GOTMLS give the guy a donation – guys like him keep many of us safe.

Hope this helps others.