The Latest in IT Security

WordPress sites with .htaccess hacked


The TimThumb.php vulnerability is causing a lot of WordPress sites to get compromised with the and remote javascript injection.

However, that’s not all that it is doing. On many of the sites we are analyzing, the .htaccess file is also getting modified to redirect search engine and organic traffic to some russian domains. That’s how the compromised .htaccess looks like:

If you are not sure what it is doing, it is basically redirecting any crawler (like Googlebot) and all your error pages to The russian domain is changing often and it can be,,,, and many others.

This is a small list we collected:

Some times even not .ru domains:


What to do?

If you are seeing any of those redirects, we recommend that you check your .htaccess file asap and remove the offending code. You probably also have backdoors hidden in there, so you have do to a full clean up of the whole site, update WordPress, change all the passwords, etc.

If you are not sure, you can scan your site here: and if you need someone to clean it up for you and secure your sites, sign up here:


Nothing new

Note that these .htaccess attacks are nothing new. We have been tracking them for years and we even did an article explaining how they work here: Understanding .htaccess attacks.

But it seems they are piggybacking on the latest timthumb.php vulnerabilities to increase the number of sites in their control. They also compromise outdated sites (specially WordPress, Joomla and osCommerce), so if your site is not updated, it can get hacked as well, even if you don’t have the timthumb.php script.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments