How to stop wordpress from changing default .htaccess permissions to 444

Question

I installed my website using an installer - fantastico for a quick install.

Just a few days ago, I started getting a weird error in w3tc plugin and it would ask me to update via ftp as you can see below:

I found out the file permissions for htaccess have been changed to 444

No matter how many time I try changing it manually, it becomes 444 after a while (about 30 seconds or if I do something in wp dashboard)

 

For a while, I am able to rewrite the rules and then the file gets reverted to what you see below:

I have Hostgator's shared hosting.

Is there a way to combat this issue?

Edit: I have tried adding ftp details to my wp config too. Didn't help

Answer 1

Your site has likely been hacked. My site had the Darkleech infection, which injected some malicious code into wp-includes/nav-menu.php, causing .htaccess to reset to 444 on any page load.

I'd recommend you install the Sucuri plugin and let it restore any files that have been corrupted. Assuming your site was hacked, use their Post-Hack tab to reset plugins, passwords, and keys. Also check to make sure another admin user wasn't created. Use their Hardening tab to secure as much as you can. You could also install Wordfence for more security.

If you make adjustments and the problem keeps coming back, you likely have a root-level breach on your server, and then you have to work with your hosting provider to try to clean out the infection.

Answer 2

@David , you are right about the wp-includes/nav-menu.php file. I spotted & removed it there but it did not help.

After weeks of research, I came across this post on Wordpress backdoor removal, followed the steps and voila, the issue was resolved. I also contacted my hosting company and they helped me tighten my wordpress security.

Here are some of the steps from the post I've mentioned above that I followed to get rid of this backdoor:

1. Take your site offline as soon as possible & change the permissions of the site folder to 600
2. Re-name the website’s folder (public_html or your domain name) to something else and create a different folder with the same name as the original. Put a file called .maintenence in this folder. this will put your website in maintenance mode. You can use any html you want in the .maintenance file.
3. Download WordPress. Make sure you download an appropriate version. You can find the version of this wordpress install by viewing the version number in /readme.html (not recommended to keep this file).

4. Delete the following directories: wp-includes and wp-admin and replace these with the directories from a freshly downloaded WordPress. This will clean up the core files. It is important to delete these folders instead of merging them as a merge will not get rid of the files that are not part of wordpress core.

5. In the root directory, delete all files but from wp-config.php.

6. Replace these with the files from the freshly downloaded wordpress instance.
7. Rename your original directory back to it's original name.

I now use a wordpress plugin string locator to quickly check my wordpress installation for the malicious functions mentioned in this post.

Also, I am using wordfence sucuri and cloudflare for extra layers of security.

Hope this helps someone facing a similar issue.

Resources: http://oziti.com.au/case-study/wp-security-removing-wordpress-backdoor