Did you know? A hacked .htaccess file can cause redirects, malware injections, or even lock you out of your website. If your WordPress website also has a hacked or infected .htaccess file, here’s how you can fix it:
1. Back Up Your Website First
Before making any changes, create a complete backup of your WordPress site (files + database). Just in case something goes wrong, you will be able to restore your website.
2. Access Your Website Files
Use an FTP software such as FileZilla or access the cPanel File Manager and access the root directory (public_html or /).
3. Locate the .htaccess File
The .htaccess file is usually in the root folder of your WordPress installation.
If you can’t see it, enable “show hidden files” in your FTP client or control panel interface.
4. Check for Malicious Code
Open the .htaccess file in a text editor like Notepad.
Look for strange redirects (to spammy sites), encoded text, or unfamiliar rules.
Hackers usually add long blocks of gibberish code or suspicious scripts that make your website redirect to external spam sites.
5. Delete or Replace the File
Delete the hacked .htaccess file completely.
Don’t worry, in the following steps, we will share how we can make WordPress generate a clean version of the .htaccess file.
6. Regenerate a Fresh .htaccess File
Log in to your WordPress dashboard.
- Go to Settings → Permalinks.
- Without changing anything, click “Save Changes.”
This action creates a fresh, default .htaccess file.
7. Scan Your Website for Malware
Install a security plugin like Wordfence or All in One WP Security.
Run a full site scan to ensure no other files are compromised.
8. Update Everything
Update WordPress core, themes, and plugins.
Remove unused or suspicious plugins.
9. Harden WordPress Security
- Change all admin, FTP, and database passwords.
- Use strong, unique credentials.
- Limit file editing in WordPress (define(‘DISALLOW_FILE_EDIT’, true); in wp-config.php). You may need the assistance of a professional WordPress developer to do this.
- Add a firewall plugin or use hosting-level security.
10. Monitor Your Site Regularly
The best way to avoid hacking is to monitor and maintain your website regularly. If you don’t update the plugins, WordPress core, and the server’s PHP version, your website may be at risk of hacking. Apparently, most website owners don’t have time or resources to maintain their sites, so they hire web developers for their website maintenance.
Note: If your website still redirects to spam sites or creates spam folders, it likely means malware has been injected into the core WordPress files or its plugins. In such cases, it’s best to hire a web developer to repair your website.