Maggie Maggie - 1 month ago 21
PHP Question

Wordpress/Godaddy: How can I tell if this .htaccess has malware in it? wp-currentver.php

Godaddy flagged my /html/.htaccess file as possible malware.

Is this malicious?
Fwiw, it also flagged wp-currentver.php as possible malware.

My site looks fine, appears to be functioning fine.

RewriteEngine On

RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^([^/]*)/$ /wp-currentver.php?p=$1 [L]
# BEGIN WordPress

# END WordPress

Answer

You got hacked.

Those are redirects that detect if someone is coming through Google search results with Google as a referrer; the standard WordPress (non-Multisite) rewrite block is at https://codex.wordpress.org/htaccess i.e.:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

And the file wp-currentver.php is malicious and not WordPress core. Also see https://productforums.google.com/forum/#!topic/webmasters/f4Cw1k1-j6g

Carefully follow FAQ My site was hacked - WordPress Codex.

Find a more secure host.

Then take a look at the recommended security measures in Hardening WordPress - WordPress Codex and Brute Force Attacks - WordPress Codex