What could have made these changes to my .htaccess file?

  • Answered
Today, I had a larger than normal flow of visitors to a particular post on my website, and the site kept getting overloaded and going down. Then, at some point around 3pm, I noticed that the post was redirecting to another URL that was almost the same, but with a .php extension on the end (the original post had no extension). The content of the new .php page was, as far as I could tell, the same as the original page.

I have no idea where this .php file came from, but it was there in my file manager, with a last-modified timestamp of around 3pm. The .htaccess file was also modified around the same time, and I opened it and saw that this was where the redirect had been added.

In any case, things seemed to be running smoothly. Once the .php file showed up, the website was able to handle the high traffic load.

Later, around 8pm, the php file disappeared, and the redirect disappeared from the .htaccess file.

On the one hand, I feel fortunate. I don't know where the file came from, but it appears to have allowed my site to handle the high traffic load.

On the other hand, I am pretty concerned that have a file appearing and disappearing out of nowhere, and redirects popping in and out of my .htaccess file. What could have caused this to happen?

For background:
- This has never happened on the website before
- I have not made any changes to my plugins for weeks (other than the Autoptimize plugin, which I activated this morning, and deactivated 5 minutes later)
- I do not believe I have any caching plugins currently activated
- The website has a basic CDN with cloudflare
- I have not touched my permalink settings. They are set to "Post name: -- http://sampledomain.com/sample-post/"

What could have made these changes? Is it possible my website was hacked?

Hello mgalka, Thank you for your question on mysterious files and htaccess changes. I would not find it likely that you were hacked. It is not normal behavior for someone to hack a site to create a page to assist your traffic for a few hours and then hack back in to delete it. Hackers usually are not very beneficial to websites. They more or less have their own agenda. It is not impossible, just highly improbable. It is likely something on your site that you are unaware is running currently. You may want to have our Live Support check for cpanel logins and file modifications made at those timeframes. They may be able to tell you whether it was from the server itself or an outside IP address. Kindest Regards, Scott M