When the .htaccess file is rewritten, does it become blank, or damaged in some way (like duplicate lines or missing text), or is there suspicious new code that you wouldn’t expect to see?
If you’re not sure what to look for, you can post a copy on pastebin.com and post a link here, then I can take a look. If there is any sensitive information (specific IP addressess, etc.), you can replace them with fake text like 1.1.1.1.
-Matt R
It’s basically blank. All I get is…
# BEGIN WordPress
# END WordPress
No additional code. I’ve made the file read only for now, but I’m hoping to track down what is causing the change.
Ok, that’s one I haven’t seen before. It might be a bug in a plugin causing the problem, or like you said, possibly something malicious. (If it is, it’s not doing anything particularly useful, if that’s the entire file!)
If you can let it get overwritten again, and look at the date/time of the file, you can look for that time in your site’s access log file, and see if there is anything unusual around that time. (It could be a few seconds earlier.)
If you’re not sure where to find the access log on your particular host, the hosting company could tell you where it is. You might need to make the .htaccess file writable again, depending on how it’s being written.
If there is nothing unusual, it may still be a plugin bug. If you think the site is hacked, we have a guide to cleaning up, linked below, which also includes steps for using more of Wordfence’s scan options:
How do I clean my hacked site using Wordfence?
-Matt R
Let us know how it goes — and if you do have a visit that looks normal at the same time the .htaccess file is changed, that may still helpful, at least to see it is something happening within WordPress, and not a problem at the host.
-Matt R
