.htaccess Changing Itself - Causing 500 Internal Server Error

StackOverflow https://stackoverflow.com/questions/14738429

Question

I'm having issues with .htaccess changing itself and causing 500 - Internal Server Errors on my website. This change occurs every second day or so.

My original .htaccess file looks like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

And after it changes itself, it looks like this:

# BEGIN WordPress<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Essentially, this line is moved up to the end of the above line:

<IfModule mod_rewrite.c>

Our website was hacked a few weeks ago and used for phishing. Our host shut it down, and we made changes which they felt were good enough to re-open our website. We changed...

  • Updated to the latest version of Wordpress (we're normally up to date, but were a few days late on this).

  • Installed two security plug-ins (Better WP Security and Bulletproof Security).

  • As well as removing a forums plug-in which we believe COULD have been the cause of vulnerability.

  • Both security plug-ins have now been removed.

  • I have now changed the permissions on the htaccess file

We can't really afford to have our site go down (500 server error) again. Is there anything I have missed that could be causing .htaccess to get changed? Note: When I replace the changed htaccess file with the original, it fixes the 500 server error.

Was it helpful?

Solution

The problem is probably caused by the interaction between the two security plugins. Maybe disabling one of them will fix the problem.

Another way to secure your htaccess is assigning it to the root user (if you are allowed to) and/or make it read only. Of course it does not solve the underlying problem, but at least the effects are contained.

OTHER TIPS

Taking a quick look at your two security plug-ins, the Bulletproof Security does a lot of touching of your .htaccess file. Personally, I would never let a plug-in touch .htaccess, because if there are any bugs in the plug-in, it can knock your site offline with a 500 server error.

I would take a look at what the plug-in is trying to do in .htaccess and manually add that to the file, after disabling Bulletproof Security.

Alternatively, you could try adding an extra linespace between the initial comment and the following line, like this:

# BEGIN WordPress

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

And lastly, you could do away with the "IfModule" altogether, since you know it's installed on your server:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

I had the same problem but I finally find out that the .htaccess file encoding should be kept into default ANSI and the error was just because I changed its encoding to UTF8.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top