Deny WordPress and plugins from updating .htaccess file

0 Views

I am having some problems with WordPress or some plugins occasionally updating/overwriting my .htaccess file, which will return 404 error pages when visiting posts. To fix this i need to save permalinks again.

I have removed url slug “categories” on my site, so it looks like this:

Read More

Original 

www.mysite.com/category/post-title

Updated with hack 

www.mysite.com/post-title

I have +20 plugins installed and i am not sure what is causing this problem.

Is it possible to deny WordPress and plugins from writing to .htaccess file?

This is my hack to disable category from URL slug in functions.php 

/* Kill category base */
function kill_category_base ($string) {
$string = str_replace('category/', '', $string);
return $string;
}
add_filter('category_link', 'kill_category_base');

And this is my .htaccess 

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]

# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

# redirect everything else to wordpress
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php [L]

RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*.php)$ $1 [L]

# END WordPress
Post Views: 0

Related posts

Leave a Reply

5 comments

  1. If you have ssh access to your server, you can issue the following command to limit write access to the file, so that nobody, except the root user, can edit the file, including WordPress:

    chmod 444 .htaccess

    You will need to either run this command as the root user, or as the current owning user of the file.

    If you do not have ssh access to your server, then you have little option here. If that is the case, you will need to hunt through the code of all your plugins and figure out which one it is that writes to that file. Then either deactivate that plugin, or change the code so that it does not write to that file anymore.

    UPDATE

    I noticed that several people are giving my answer a bit of guff here. I read all them, and reread the question just to be sure. As it turns out, I must have misread the question to begin with.

    My original answer was based from a security stand point. I thought the question was asking about how to prevent the file from being overwritten, from a security standpoint, as in maybe your site got hacked or something. If that were the case, setting the permissions to 444 will work 100% of the time, but you would need to do it to basically all files, except a small handful of them and the uploads dir. In fact doing this, along with keeping all my plugins up to date, has prevented any of the sites my company personally hosts from being hacked, ever, and we host almost 300, with traffic ranging from 1000/month to 0.5 billion/month. The deployment process is a little longer, but the benefits of being security vigilant severely out weight the consequences of the extra deployment time.

    BUT, the question was not asking that, so my bad. In fact, after looking again, and actually understanding the question this time, @mr_mmmmore has close to the correct response. You do simply need to MOVE YOUR MODIFICATIONS out side of the # BEGIN WordPress and # END WordPress, but there is a little more to it though.

    If you want (most) plugins to also not overwrite your changes (not just core WordPress), you need to also wrap your code in similar markers. Otherwise, your code might still be removed when the htaccess is updated. Your final file should look something like this:

    # BEGIN MyCodeTop
RewriteEngine On
RewriteBase /

# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
# END MyCodeTop

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php [L]
# END WordPress

# BEGIN MyCodeBottom
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*.php)$ $1 [L]
# END MyCodeBottom

    In general, WordPress itself will keep your changes to the htaccess file, without modifying them, even if they are not in their own marker group; however, there are a few plugins out there that bastardize the core WordPress functions that manage the htaccess file, and misuse them in such a way that they wind up just removing your changes, because they do not exist inside their own marker group. To be safe, it is best to just follow the WordPress standard, and make your own marker group, and put your code in there.

    Thanks @mr_mmmmore for making me reread the question here, because I totally missed the whole point the first time. Plus one.

  2. Denying Worpress from writing to .htaccess seems overkill for the problem you encounter. Plus some plugins depend on being able to write to .htaccess, so I wouldn’t advise to do so without investigating on possible consequences (for example cache plugins may need to add rewrite rules).

    And you don’t have to do so: the reason why WP deletes your own editings is because you put them between the # BEGIN WordPress and # END WordPress comments. You have no control on what goes between those: consider it as a reserved place in the .htaccess file where WP does whatever it needs to. Everything not added by WP here will be removed at some point.

    So all you have to do is move your editings outside the BEGIN/END WP comments, like so (you have to decide what must go before and after the WP rules):

    # editings that must run before WP rewrite rules
#-------------------------
RewriteEngine On
RewriteBase /

# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php [L]
# END WordPress

# editings that must run after WP rewrite rules
#-------------------------
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*.php)$ $1 [L]

    Defining what must go before or after WP rules depends on what you’re wanting to do. Usually I keep WP rules at the end and put mine before.

  3. I have over half a year struggling with this .htaccess reset issue on various sites until now.

    My temporal solution was to reinstall the latest file-system backup (.zip) each time this happened (which in some cases even avoided the site to display correctly or at least even display, but on most it avoided admins to enter the admin panel).

    The real solution seems really easy, but works only for the case that your site has been hacked (haven’t yet been able to catch how or exactly when are those sites being hacked). In this cases the wp-includes/nav-menu.php file is being corrupted and forces the .htaccess to reset to default and sets it’s permissions to 444.

    So the solution is to restore that file with the correct one for your WP version.

    Nevertheless, this is not a solution for the security issue that allow this hack to happen, and I suspect many different plugins can be the leak or backdoor for this type of hack. So what you could do to solve the security issue is installing the Sucuri Security - Auditing, Malware Scanner and Security Hardening or Wordfence plugins.

    Personally, installing plugins to augment the security of a site seems to be an analogy to installing antivirus in PC’s. I would also recommend some environment approaches like Cloudflare.

  4. If you really know what your are doing, you can prevent wordpress from updating your .htaccess file. Put this line at the end of your wp-config.php (after the require_once):

    add_filter('got_rewrite', '__return_false');

    You can also use this filter in a mu-plugin/plugin.

    I like this solution better than the chmod hack because it doesn’t spam permission errors in the logs.

  5. CHMOD doesnt work WordPress rewrite it
    No matter if lines are between Begin and ND WordPress
    No Plugins installed and WORDPRESS rewrite it
    none of answers here is correct