When trying to mark a comment as spam, I was presented with a basic-htaccess login. I couldn’t login and then I remembered I do not have a basic login: the only thing my .htaccess
in the wp-admin
folder does is white-list the allowed IP’s.
When checking out the files I found that
- I now have a couple of new lines on top of my
wp-admin/.htaccess
setting a basic authetication (with, for some reason, the user/password files located at /dev/null) - I also have extra lines in my root access file (
/.htaccess
) containing another basic authentication line, pointing to a password file in the root. Both these files are created/modified on the 5th, but not by me. - The passwordfile contains one entry for a user called ‘admin’ (a user I do not use), with a password hash.
To be safe until I have time to remedy this, I changed that password-hash so if something was using that as an access-method, they can’t anymore
(It does seem like a bit of a strange thing to do when you are already able to write to my .htaccess
.
My thoughts currently are that it is probably not a hack, as it seems very little is changed while what is changed is quite hard to do: that would be strange. What I can think of that maybe this is
- an update either gone bad (temporary limiting access to the wp-admin to only the admin user and not finishing / reverting that)
- or an update that is too paranoid about security and ‘decided’ to add a basic login (but I’ve not found anyone outraging about that, so doubtfull).
Does anyone know if there is a process in the automatic update that does things like this, and maybe scenarios that can happen (and maybe even I can check) that would keep these files in place?
I do not specifically need tips to remove the files or remedy the situation, I mostly really want to find out how this would happen. Specifically if this is something the automatic updater could do.
This is not a feature of any known process. The automatic updater (currently) does not do this.
The updater does this neither explicitly in an attempt to update security, nor does it leave a mess like this behind if an update fails. This is pure user-error1, or at least a user-land change.
1: or, in this case, a parnaoid host-provider combined with lack-of-communication.