How could a .htaccess with authentication suddenly appear or change?

When trying to mark a comment as spam, I was presented with a basic-htaccess login. I couldn’t login and then I remembered I do not have a basic login: the only thing my .htaccess in the wp-admin folder does is white-list the allowed IP’s.

When checking out the files I found that

Read More
  • I now have a couple of new lines on top of my wp-admin/.htaccess setting a basic authetication (with, for some reason, the user/password files located at /dev/null)
  • I also have extra lines in my root access file (/.htaccess) containing another basic authentication line, pointing to a password file in the root. Both these files are created/modified on the 5th, but not by me.
  • The passwordfile contains one entry for a user called ‘admin’ (a user I do not use), with a password hash.

To be safe until I have time to remedy this, I changed that password-hash so if something was using that as an access-method, they can’t anymore
(It does seem like a bit of a strange thing to do when you are already able to write to my .htaccess.

My thoughts currently are that it is probably not a hack, as it seems very little is changed while what is changed is quite hard to do: that would be strange. What I can think of that maybe this is

  • an update either gone bad (temporary limiting access to the wp-admin to only the admin user and not finishing / reverting that)
  • or an update that is too paranoid about security and ‘decided’ to add a basic login (but I’ve not found anyone outraging about that, so doubtfull).

Does anyone know if there is a process in the automatic update that does things like this, and maybe scenarios that can happen (and maybe even I can check) that would keep these files in place?

I do not specifically need tips to remove the files or remedy the situation, I mostly really want to find out how this would happen. Specifically if this is something the automatic updater could do.

Related posts

Leave a Reply

1 comment

  1. This is not a feature of any known process. The automatic updater (currently) does not do this.

    The updater does this neither explicitly in an attempt to update security, nor does it leave a mess like this behind if an update fails. This is pure user-error1, or at least a user-land change.

    1: or, in this case, a parnaoid host-provider combined with lack-of-communication.