I’m having issues with .htaccess changing itself and causing 500 – Internal Server Errors on my website. This change occurs every second day or so.
My original .htaccess file looks like this:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
And after it changes itself, it looks like this:
# BEGIN WordPress<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Essentially, this line is moved up to the end of the above line:
<IfModule mod_rewrite.c>
Our website was hacked a few weeks ago and used for phishing. Our host shut it down, and we made changes which they felt were good enough to re-open our website.
We changed…
-
Updated to the latest version of WordPress (we’re normally up to
date, but were a few days late on this). -
Installed two security plug-ins (Better WP Security and Bulletproof
Security). -
As well as removing a forums plug-in which we believe COULD have been
the cause of vulnerability. -
Both security plug-ins have now been removed.
-
I have now changed the permissions on the htaccess file
We can’t really afford to have our site go down (500 server error) again.
Is there anything I have missed that could be causing .htaccess to get changed?
Note: When I replace the changed htaccess file with the original, it fixes the 500 server error.
The problem is probably caused by the interaction between the two security plugins. Maybe disabling one of them will fix the problem.
Another way to secure your htaccess is assigning it to the root user (if you are allowed to) and/or make it read only. Of course it does not solve the underlying problem, but at least the effects are contained.
Taking a quick look at your two security plug-ins, the Bulletproof Security does a lot of touching of your .htaccess file. Personally, I would never let a plug-in touch .htaccess, because if there are any bugs in the plug-in, it can knock your site offline with a 500 server error.
I would take a look at what the plug-in is trying to do in .htaccess and manually add that to the file, after disabling Bulletproof Security.
Alternatively, you could try adding an extra linespace between the initial comment and the following line, like this:
And lastly, you could do away with the “IfModule” altogether, since you know it’s installed on your server:
I had the same problem but I finally find out that the
.htaccess
file encoding should be kept into defaultANSI
and the error was just because I changed its encoding toUTF8
.