htaccess – Hacked website redirect, only on desktop, help with restoring it


This is my first post, I tried searching for similar problems, didn’t find any that would fit my situation. Anyway.

Recently my cousins website got hacked, I decided to take a look and try to fix it as an exercise. I have little to none experience with web dev, so I hope to get some helpful feedback here. Whenever I type the URL in the address bar (or search for it on search engines) I get redirected to some blog site or one of those you won the iphone scam sites. It is also true for all subpages of the website.

What’s weird to me is that it only happens on PC. URL works fine when using mobile or trying it in private mode. Also I can only access WP dashboard by typing url/wp-login.php using private mode. Whenever I try to do it in normal it also redirects me to that blog site login window.

In dashboard I noticed that bunch of plugins and WP version is outdated. I updated those relating to security and antispam, haven’t updated WP version yet. As I didn’t make this website and don’t yet have FTP access I decided to wait with the update until I can make a full backup of the website.

Wordfence scan results did mark bunch of files as potentially malicious. They also have weird names that are just strings of characters which also raises red flags.

I installed WP file manager plugin and managed to download .htaccess file.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - (L)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php (L)
</IfModule>


# BEGIN MainWP

# END MainWP
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - (L)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php (L)
</IfModule>

# END WordPress

I’m not sure what to make of it as it looks similar to default basic WP htaccess, but written twice, with some weird additions. index.php was also flagged as malicious so I suspect here is a part of the problem. Help understanding it will be appreciated.

My question would be how do I proceed from here and how do I find the source of redirect? I’ve read that it’s not worth the hassle of cleaning up hacked websites and it’s much easier to just setup new server and migrate whole website there. But if I create full backup of the site and then reupload everything won’t I also be migrating those malicious files with me? I also have no idea how to do it. I didn’t make the website so it’s not so obvious to me which files weren’t there from the getgo.

I don’t know what more to add as this post is pretty lengthy. If needed I can provide additional info.