I am looking for a way to edit or reset the .htaccess file for a wordpress site without access to the filesystem, working only with the wp-admin web interface and/or plugins* (see below for the back story if you’re interested or think it’s relevant).
A quick search on WordPress SE revealed something promising:
I tried installing both the plugins suggested there, but neither worked** (see below for explanation of why these plugins didn’t work, if you think it’s relevant).
And searching on google, the only other promising option I could find is a plugin called “WP htaccess Editor”, which claims to do exactly what I want — simply provide a direct textbox editor for the .htaccess. But I can’t install this plugin. When I try, it fails, saying
“Could not create directory. wp-content/upgrade/wp-htaccess-editor.1.1.12/wp-htaccess-editor”.
How can I change or remove a Plugins .htaccess file from inside the WordPress Admin Interface?
*Back story
My friend recently discovered that her WordPress site has been compromised, containing malware redirects. She doesn’t know where it is hosted or who is hosting it. Apparently someone else set it up for her several years ago, and she’s been unable to contact him recently. So I’m stuck working only with the wp-admin web interface.
Using a plugin called “BackupBuddy” I managed to download a copy of their site and discovered the source of the malware. The .htaccess contains redirects to malware sites.
The problem is, I can’t for the life of me figure out how to remove these lines. Again, I don’t have access to the file system (I wish I did, it would be such a simple fix).
**Explanation for why the plug-ins I tried didn’t work:
Firstly, the wordpress plugin admin interface for the most part doesn’t work for me, because almost all pages (including the plugin install pages) redirect because of the malware lines in htaccess. Luckily, the “upload zip file” plugin install method still works, so that’s how I installed the plugins.
When I tried the first listed plugin (“WP htaccess Control”), it let me go to the plugin settings and fill in all the options and even showed me the resulting output that would supposedly be written to .htaccess (and the output looked fine). The problem is, clicking “Save Changes”, though reporting success, appeared to do nothing at all to the redirects. Another download via backup buddy confirmed that the .htaccess file was not modified.
The second plugin (“All-in-one htaccess Plugin”) is a Catch-22; before doing anything it requires you to launch a series of tests, but clicking the “Initiate Tests” button on the plugin settings page leads to a page that is redirected to the malware page by the .htaccess. So it’s impossible for me to use this plugin.
You can delete files per plugin if the serverâs PHP user has write permissions. The trick is to delete it immediately on activation. Here is a basic sample code:
Download as ZIP file or see the code on GitHub.
But move the site to another server! As long as you cannot control the files per SSH or FTP chances are the site will be hacked again.
There really isn’t a whole lot of options. (that I personally know of). If you are limited to wp-admin, this is what I’d do: see if you can find who is hosting it and see if you can find a hosting ip address or contact somebody. Firstly can you run a whois on the domain? Sometimes contact information is listed within there. If your friend’s contact info is there, then try going to whoishostingthis.com and typing in the domain to see who the host is and see about contacting them. Most shared hosting companies can help you in some way. Lastly, I’ve known a few people to use Sucuri Security to remove malware from websites with high success. It however will set your friend back $89.