This site is built on Divi, core and plugins all up to date. Plugins listed at the bottom.
First of all, IDK why the wp-content/uploads directory contains an htaccess file in the first place. My other WP sites don’t have one there (though they use different themes, have fewer plugins). The site works fine with it empty, so it’s superfluous. But if I delete it, another appears in 10 minutes.
I discovered the file contained malicious code this morning (pasted below). It blocks all images loading on the site. It was the only code written in the file. When I delete the file, the problem went away. But then, the file reappeared there, rewritten with the malicious code, and again the images would not load in a browser.
Whenever I deleted or renamed the file, another appeared in 10 minutes. When I do nothing to it, its *File Modified* timestamp resets every 10 minutes, so it’s being rewritten. But it’s a lot weirder than that.
The comments in the code reference a plugin I have, so I deactivated it, but that didn’t stop it, at least not the first time. The first time the file reappeared after I deactivated the suspect plugin, it contained the snippet of harmful code again. So, naturally I suspected a malware infection, that uses the name of the plugin as cover. But then, after deleting the htaccess file yet again, the next new htaccess file written to the directory was empty. And so it’s remained, rewritten by some software function every 10 minutes, but except for the first time after I deactivated the suspect plugin, it’s empty every time. No malicious code, our site works, that’s great. But hardly secure or satisfying. We are in fact rebuilding the site from scratch on another webhost and won’t bring a single line of code over. But in the meantime, I want to know the site works without needing to check this little bugger every 10 minutes!
Damn it’s a strange puzzle to me.
Malicious code (I encased the comment-out hashtags in parenthesis to avoid the reddit formatting):
(#)Begin Really Simple Security
<Files *.php>
deny from all
</Files>
(#)End Really Simple Security
Plugins:
| akismet | active | none | 5.2 |
| backupbuddy | active | none | 8.8.4 |
| bloom | active | none | 1.3.12 |
| bv-cloudways-automated-migration | active | none | 5.24 |
| cookie-law-info | active | none | 3.1.3 |
| divi_layout_injector | inactive | none | 1.6 |
| elegant-themes-updater | active | none | 1.1 |
| dwd-custom-fullwidth-header-extended | active | none | 2.0.4 |
| ithemes-security-pro | active | none | 7.3.6 |
| ithemes-sync | active | none | 2.1.14 |
| google-maps-widget | active | none | 4.25 |
| really-simple-ssl | inactive | none | 7.0.8 |
| thin-out-revisions | active | none | 1.8.3 |
| youtube-widget-responsive | active | none | 1.6.1 |
| wordpress-importer | active | none | 0.8.1 |
| wp-optimize | active | none | 3.2.18 |
| wp-seo-html-sitemap | active | none | 0.9.6 |
| wordpress-seo | active | none | 21.0 |
| SupportCenterMUAutoloader | must-use | none | |
+————————————–+———-+——–+—-