Litespeed .htaccess getting malware constantly

  • I have a client with a Litespeed server whose .htaccess file is constantly being hacked with malware.

    His site is using the Astra theme (seems good) and only a few plugins like:
    Akismet, Contact Form 7, Elementor, WP Forms, All in One SEO

    That’s all, only a few basic plugins and theme…. there are no weird folders or anything and just a basic control panel type of shared hosting. His website is using Cloudflare and apparently the hosting company has some security features but it doesn’t seem to be helping anything.

    The database looks clean, WordPress Core was reinstalled multiple times. I did malware cleaning for many clients and I know most of the normal things to do for cleaning and security.

    No matter what, this malware always comes back again:

    <FilesMatch ".(py|exe|php)$">
 Order allow,deny
 Deny from all
</FilesMatch>
<FilesMatch "(^my1.php|^wp-login.php|^wp-signups.php|^index.php|^style.php|^iR7SzrsOUEP.php|^xget.php)$">
 Order allow,deny
 Allow from all
</FilesMatch>

    So his site becomes broken, and he can’t even login to WP Admin or click anything. Then I have to reset his .htaccess file again and remove the 2-3 PHP malware files. In the meanwhile his site is broken for a few days and sometimes also redirecting to “adult” spam websites which is hurting his website reputation.

    I have tried everything to stop this happening.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter markode

    (@markode)

    “This post has been held for moderation by our automated system and will be manually reviewed by a moderator.”

    thank you

    Hello @markode ,

    Is your client default wordpress totally upgraded ?
    Just do some basic things to secure your website.

    1. First upgrade your WordPress version.
    2. Change the salt code of wp-config file, any unwanted html files or demo files cleans them from main root.
    3. Install Security plugins like sucuri or wordfence.
    4. make your DB permissions and Folders permission to set 644 read only so no one can make any changes to your site or upload to your site.
    5. Upgrade the plugins
    6. Change the WP prefix to any other alternate so no one can easily enter using WP prefix.

    Anonymous User 20166280

    (@anonymized-20166280)

    Hola markode,

    No matter what, this malware always comes back again

    I’m sure you need to kill the malicious PHP process first (by using SSH i.e.: kill PID). If it’s somehow hard, ask your hosting support to step up and make it for you.

    Thread Starter markode

    (@markode)

    Thanks @magentomaster … yes WordPress core already updated and reinstalled many times, no junk files anywhere in the file manager.

    I don’t want to think security plugins are the only solution. I’m not certain that will fix the problem anyway cuz .htaccess is being hacked, not WordPress.

    Maybe chmod .htaccess is a good idea but I think 644 is not strong, maybe something stronger? If no conflicts

    I would really like to know how this is happening though…

    @yoruoni

    I’m sure you need to kill the malicious PHP process first

    Thank you, not sure I can see process list from the cPanel hosting server, maybe the host can check that but seems no suspicious PHP files exist anymore.

    • This reply was modified 2 years, 10 months ago by markode.
    • This reply was modified 2 years, 10 months ago by markode.
    • This reply was modified 2 years, 10 months ago by markode.
    Anonymous User 20166280

    (@anonymized-20166280)

    markode,

    but seems no suspicious PHP files exist anymore

    I’m sure this is about the malicious PHP process up and running, that’s why you need to check it (or ask the support team to check it for you).

    Maybe chmod .htaccess is a good idea

    It’s not. Better hunt for the root cause of your problem [I already gave you a hint where to start].

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Litespeed .htaccess getting malware constantly’ is closed to new replies.