1

The content of .htaccess file get changed from the typical content made by WordPress to this :

# Apache 2.4+
<IfModule authz_core_module>
Require all denied
</IfModule>

# Apache 2.2
<IfModule !authz_core_module>
Deny from all
</IfModule>

This causes the site to stop working with a 403 error message. The site returns to work when I return the content of the file (.htaccess) to what it was (from a previous backup), but after periods that may be long or short, the same thing happens and all the content of the file (.htaccess) is erased and replaced with the text written above.

I am using Jelastic Paas + Lightspeed Web Server, I checked all the site files using BitNinja, I use Wordfense and Sucuri, so I don't know where the error is and how the file is replaced automatically and periodically. Any ideas in particular?

I tried scanning the files and i expected to find some malware, even after deleting some suspicious files nothing improved.

Edit1: installed plugins are :

  • Checkout Files Upload for WooCommerce
  • Code Snippets
  • Contact Form 7
  • Content for multiple Courses in LearnPress
  • Cool Integration for LearnPress & WooCommerce
  • Elementor
  • Essential Addons for Elementor
  • Facebook Chat Plugin - Live Chat Plugin for WordPress
  • Flamingo
  • LearnPress
  • LearnPress - WooCommerce Payment Methods Integration
  • Limit Max IPs Per User
  • LiteSpeed Cache
  • LoginPress - Customizing the WordPress Login Screen.
  • LoginWP (Formerly Peter's Login Redirect)
  • Nextend Social Login
  • Password Strength Settings for WooCommerce
  • Quiz Maker
  • reCaptcha by BestWebSoft
  • Redirection
  • Redirection for Contact Form 7
  • Simple History
  • Sucuri Security - Auditing, Malware Scanner and Hardening
  • TeraWallet
  • UpdraftPlus - Backup/Restore
  • User Switching
  • VdoCipher
  • WooCommerce
  • WooCommerce Checkout Manager
  • WooCommerce Checkout Manager PRO
  • WooCommerce Wallet Coupons
  • Wordfence Security
  • WordPress Persistent Login
  • Wordpress Special Characters in Usernames
  • WP Mail SMTP
  • WP Ultimate CSV Importer
  • WP Ultimate Exporter
  • WPC Fly Cart for WooCommerce
  • WPC Product Bundles for WooCommerce
  • WPFront Notification Bar
MrWhite
  • 43,179
  • 8
  • 60
  • 84
Mohammed Etikar
  • 11
  • 2
  • Can you please share your plugins list? – Hardik Solanki Jan 05 '23 at 04:34
  • I added the list of plugins installed in the main thread thanks for your comment – Mohammed Etikar Jan 05 '23 at 10:03
  • "even after deleting some suspicious files nothing improved" ... now either the installation has a backdoor and has been compromised or not. If you discover files that do not belong there then deleting them does not solve the issue. – arkascha Jan 05 '23 at 12:53
  • "some suspicious files" - What makes these files "suspicious"? What are these files? – MrWhite Jan 05 '23 at 13:03
  • @arkascha have you any ideas to solve the issue ? – Mohammed Etikar Jan 06 '23 at 00:05
  • 1
    @MrWhite Malware scan with BitNinja showed the following : Malware name: {YARA-QUARANTINE}PHP.Backdoor.GenericEval --- in the path : home/litespeed /bin/wp (and) Malware name: {YARA-QUARANTINE}PHP.RCE.eval_filegetcontents_01 --- in the path : tmp/phpBhM8Pa – Mohammed Etikar Jan 06 '23 at 00:06

0 Answers0