If your WordPress site won’t let you edit posts or pages and you see malicious code in the .htaccess file, it’s possible that your site has been hacked and the hackers have added code to restrict access to the site. The “DenyAll” code in the .htaccess file is preventing any user from accessing the site, including you as the site owner.
What is the DenyAll hack?
Deny all, hack won’t let you edit or access some of the below;
- Won’t let you access or edit Posts
- Won’t let you access or edit pages
- Won’t let you access or Add New plugins
- Won’t let you access or Add New themes
- Won’t let you access Comments
- BUT STILL THE FRONTEND WILL WORK FINE
DenyAll in .htaccess is a directive that can be used to deny all access to a particular directory or file on a website. To use DenyAll in .htaccess, you can add the following code to the .htaccess file:
Order Allow,Deny
Deny from all
This will deny access to the directory or file for all users. However, it’s important to note that this can also block access for search engines and other legitimate bots, which can negatively impact your website’s search engine optimization (SEO).
If you want to allow access for specific IP addresses, you can add the following code to the .htaccess file:
Order Allow,Deny
Deny from all
Allow from xx.xx.xx.xx
Replace xx.xx.xx.xx with the specific IP address you want to allow access for. You can add multiple Allow lines to allow access for multiple IP addresses.
It’s important to use DenyAll and other access control directives carefully, as incorrect configuration can lead to unintended consequences, such as blocking legitimate traffic or leaving your website vulnerable to attacks.
How to fix the .htaccess hack of deny All auto inject
To fix this issue, you should first remove the malicious code from the .htaccess file. You can do this by accessing the file through your website’s control panel or using FTP to edit the file directly. Remove any code that looks suspicious, including the “DenyAll” directive.
If the file is auto injecting even after removing, ask your hosting provider to make the file immutable, so no one can edit it.
Once the malicious code has been removed, you should scan your website for malware and other security issues. You can use a WordPress security plugin such as Wordfence or Sucuri to scan your site for malware and vulnerabilities. These plugins can help you identify and remove any malicious files or code that may have been added to your site.
It’s also important to update your WordPress installation, plugins, and themes to the latest versions to ensure that any known security vulnerabilities are patched. You should also use strong passwords and limit access to your site to trusted users only.
Replace the below code with the hacked code.
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Above if the official .htaccess code.
If you’re not comfortable handling the security of your WordPress site yourself, you may want to consider hiring a professional to help you secure your site and prevent future hacks.