Attackers usually replace the index.php with an infected copy of the WordPress index.php file and also add hundreds or thousands of infected .htaccess files throughout the website directories.